Primus Tools Commands
Usage of the Primus Tools requires a Java Runtime Environment (JRE) (see the prerequisites).
The primus-tools.jar file contains a set of different Java CLI commands
for the Primus HSM or CloudHSM, as well as other utilities.
The general call structure is as follows:
java -jar primus-tools.jar <ToolName> <HSM connection and credentials> [further tool parameters] [-help]
Commands require an established <HSM connection and credentials> parameter to be able to execute properly.
Ensure you have your <HSM connection and credentials> details, as defined in the
HSM Connection section.
Commands Overview
The tables below give an overview of current Primus Tools commands. Detailed descriptions of each commands can be found in the command details section.
Help
The global help lists all commands:
java -jar primus-tools.jar -help
Each command has its own help:
java -jar primus-tools.jar CreateKey -help
Credential Management
Used for credential management for the HSM and the connection to it.
| Command | Description |
|---|---|
| GetUserSecret | Get (optionally blinded) permanent user secret |
| GenerateBlindingKeyFile | Generate a blinding key file |
| BlindPassword | Blinding of passwords, setup passwords, user secrets |
| Login | Login test (to check credentials and connectivity) |
HSM Device Information
Used for acquiring HSM device information and logs.
| Command | Description |
|---|---|
| GetLog | Get the HSM user log |
| GetDeviceInfo | Get device name, firmware version and used provider version |
Object Management
Commands used for managing HSM objects.
| Command | Description |
|---|---|
| ListKeyStoreObject | List partition objects (type, size, flags, hash) for single aliases |
| ListKeyStoreObjects | List partition objects (type, size, flags, hash) |
| ListKeyEntry | List key information |
| ListKeyFlags | List key flags |
| CreateKey | Create key |
| DeleteKey | Delete key |
| GetKeyFlag | Get a single key flag for a key |
| SetKeyFlag | Set key flag |
| SetKeyId | Set key id |
| RenameKey | Rename a key or change a key password |
| ImportCertificate | Certificate Import |
| ImportPublicKey | Import a public key |
| ImportKeyWrapped | Import a wrapped key |
| GetPublicKey | Export a public key |
| ExportKeyWrapped | Export a wrapped key |
Partition Management
Commands used for managing HSM partitions.
| Command | Description |
|---|---|
| GetKeyStoreStatistics | Get number of objects (type, number) and show used/free size |
| ListKeyStore | List partition information (as visible to JCE API) |
| ClearKeyStore | Clear the partition (delete all objects/keys) |
Smart Key Attributes
Commands used for Smart Key Attribute key management.
| Command | Description |
|---|---|
| CreateAttestationKey | Create attestation key (for signed attestations and timestamps, needs RKS) |
| ListEkaAccess | List smart key (SKA/eka) access information |
| CreateEkaKey | Create smart (EKA/SKA) key |
| CreateIntegrityKey | Create integrity key (for SKA use) |
| GetAttestation | Get key attributes (attested/signed) |
| ModifyEka | Modify smart key (SKA/EKA) attributes |
| SetKeyFlagEka | Set key flag on SKA/EKA key |
| SignEka | Sign test with SKA/EKA |
KeytoolX & JarsignerX
Commands used for subcommands of KeytoolX and JarsignerX.
| Command | Description |
|---|---|
| KeytoolX | Adapter to keytoolX |
| JarsignerX | Adapter to jarsignerX |
Bring Your Own Key
Commands used for different BYOK procedures.
| Command | Description |
|---|---|
| AzureByokExport | Wrap-export RSA, EC, or AES key, for Azure BYOK |
| AwsKmsByokExport | Wrap-export a AES key for AWS KMS BYOK |
| SalesforceByokExport | Wrap-export a AES/HMAC key derivation for Salesforce BYOK (currently in testing) |
Elliptic Curve Integrated Encryption Scheme
Commands used for ECIES procedures.
| Command | Description |
|---|---|
| IesChunkingEncrypt | ECIES chunking file encryption |
| IesChunkingDecrypt | ECIES chunking file decryption |
| IesEncrypt | ECIES file encryption |
| IesDecrypt | ECIES file decryption |
EMV
Commands used for EMV procedures.
| Command | Description |
|---|---|
| ImportKeySplit | Import of plain key split into 3 parts (EMV) |
| ImportKeyWrappedZmk | Import of key encrypted (wrapped) |
| ExportKeyWrappedZmk | Export of key encrypted (wrapped) |
| ExportKeySplit | Export of plain key split into 3 parts (EMV) |
Signing
Commands used for signing and signature verification.
| Command | Description |
|---|---|
| Sign | Sign test |
| JarSignatureCheck | Check Primus JCE provider (primusX.jar) code signature |