Exporting Objects
It is possible to export objects (such as secret keys, private keys, public keys, certificate, data) from the HSM via the API interfaces. However, this is subject to certain restrictions. This page gives an overview of these restrictions.
This page is about exporting objects, meaning objects leaving the HSM via the API interfaces. It is not about the backup/restore of Primus HSM data.
Security Configuration
The Security Configuration of the HSM has two options that control key export: Key Export and Key Extraction. These must be enabled in the device-wide Security Configuration, or (if User Configuration is enabled) in the User Security Configuration.
For details, see Section 4.6.1.2 "Crypto Policy" of the Primus HSM User Guide.
In CloudHSM, these options are enabled by default, and can be disabled upon request.
Key Attributes
To be able to export a key, the extractable=true attribute must be set on the key.
To be able to extract a key in plaintext (i.e., without wrapping),
the sensitive=false attribute must be set.
Key attributes should be set correctly during key creation (generation or import).
After an object has been created, attributes cannot be modified
(unless the objects was created with modifiable=true,
and even then restrictions apply).
Therefore, carefully plan your key lifecycle, and set the correct attributes during key creation!
The restrictions imposed by the Key Attributes and the Security Configuration are complementary. This means that you must allow export/extraction on both levels, otherwise the request will be denied.
The fact that these are complementary allows you to use the following key management process:
Create the key with extractable=true, but disable Key Export in the Security Configuration.
Later, when you do need to export the key, you can (temporarily) enable Key Export.
This Security Configuration change requires the Security Officers (SOs), and is thus subject to 2-of-n and 4-eyes review.
Smart Key Attributes
SKA keys can never be exported.
In other words, SKA keys will always have extractable=false.
The reason for this is that SKA keys store their SKA policy in a proprietary metadata format. This metadata would be lost if the key were exported in standard formats such as PEM. Since the SKA policy is a critical security component, exporting SKA keys is never allowed. However, note that SKA keys are included in the normal HSM device backups and partition backups.
In the REST API, a normal key is created by explicitly setting "policy": null.
If the "policy" field is omitted, an SKA key is created.
This SKA key has an empty, always fulfillable policy. You can later edit this policy to tighten it.