Skip to main content

Bring Your Own Key

This command section describes the Bring Your Own Key (BYOK) commands. These commands are used for different BYOK procedures.

For more details on the command usage and procedures visit their respective documentation listed with each command.

Commands will require an established <HSM connection and credentials> parameter to be able to execute properly. For further assistance on how to prepare your <HSM connection and credentials> parameter, see HSM Connection and Access Credentials section.

Microsoft Azure Key Vault BYOK

Used for Azure Bring Your Own Key (BYOK) procedure in combination with Primus HSM or CloudHSM.

Use the AzureByokExport command to create the .byok file to be imported into MS Azure Key Vault:

java -jar primus-tools.jar AzureByokExport <HSM connection and credentials> /
-kekidentifier <kek identifier name/etc, goes into the json> /
-kekfile <kek public key file, DER or PEM format> /
[-outfile <byok JSON output file>] / 
[-rsakey <HSM RSA key to wrap> [-rsakeypassword <HSM RSA key password>]] /
[-eckey <HSM EC key to wrap> [-eckeypassword <HSM EC key password>]] /
[-aeskey <HSM AES key to wrap> [-aeskeypassword <HSM AES key password>]] /

Consult the Azure - Bring Your Own Key for procedure details.

Amazon Web Services KMS BYOK

Used for AWS Key management service (KMS) Bring Your Own key (BYOK) in combination with Primus HSM or CloudHSM.

Use the AwsKmsByokExport command to wrap a specified key on the HSM by using the public key downloaded from AWS KMS.

java -jar primus-tools.jar AwsKmsByokExport <HSM connection and credentials>
-aeskey AES-KEY-NAME [-aeskeypassword <HSM AES key password>] 
-kekfile <kek public key file, DER or PEM format> 
[-kekdata <kek public key data, base64 of DER>] 
-outfile <AWS KMS BYOK encrypted key output file>

Consult the AWS - Bring Your Own Key for procedure details.