hsm-clone-kwk

This command clones a key wrapping key between HSM-equipped appliances.

Availability

Requires the HSM.

Syntax

hsm-clone-kwk [input file] [output file]

Parameters

input file
Indicates the name of the local file to use as input to the cloning action. During the first part of this four-part task, do not specify this parameter. During the other parts of this task, this parameter is required.
output file
Indicates the name of the local file that the cloning action creates. During the last part of this four-part task, do not specify this parameter. During the other parts of this task, this parameter is required.

Guidelines

The hsm-clone-kwk command is available only when the following conditions are met.
  • The appliance is equipped with an internal HSM.
  • The appliance is operating in Crypto Officer (CO) mode.
Use the show crypto-engine command to determine whether the current operating mode is user or officer. Use the hsm-set-role command to change the role to officer before you attempt to use the hsm-clone-kwk command.

Use the hsm-clone-kwk command if two HSM-equipped systems have the same key sharing domain and if both systems are at the same FIPS security level. This command copies the key-wrapping key from the source HSM system to the destination HSM system. You must run this command four times.

  1. On the source HSM system, create an output file (for example, temporary:///source-one) that contains the key material. After you validate that the command created the file, copy it to the destination HSM system.
  2. On the destination HSM system, create an output file (for example, temporary:///destination-two) that uses the copied file (for example, temporary:///source-one) as the input file. After you validate that the command created the file, copy it to the source HSM system.
  3. On the source HSM system, create an output file (for example, temporary:///source-three) that uses the copied file (for example, temporary:///destination-two) as the input file. After you validate that the command created the file, copy it to the destination HSM system.
  4. On the destination HSM system, use the copied file (for example, temporary:///source-three) as the input file.

The key cloning operation succeeds only when the appliance is not restarted between the two hsm-clone-kwk command invocations on that appliance. For example, restarting the source appliance after Step 1 causes Step 3 to fail.

The source and destination HSM systems have the same key-wrapping key. After you clone the key-wrapping key on each HSM domain member, the domain member can share keys in the following way.

  1. Creating an export crypto object
  2. Transferring the export crypto object to a target system in the HSM domain
  3. Importing the export crypto object on the target system

See the HSM documentation for information about the key cloning task from the web management interface.