Breadcrumbs

Generating and Preparing your CMK: CLI

  1. Use the following command to generate the CMK AES key:

›_ Console 

> p11tool2 Slot=<slot_ID> LoginUser=<user_password> 

KeyAttr=CKA_LABEL=<CMK_label>,CKA_EXTRACTABLE=CK_TRUE GenerateKey=AES

The CMK key is now generated. It still needs to be wrapped using the Utimaco byoktool.

  1. Navigate to the folder where you have the byoktool saved. Execute the following command to wrap the CMK key, by using the key downloaded from AWS KMS:

›_ Console 

> byoktool Dev=<IP_of_UTIMACO_HSM> LogonPass=USR_0000,<user_password> 

Label="<CMK_label>" CSP=aws-kms PublicKey="<publickey>" 

WrappedKey="<wrappedkey.byok>"

Command Parameters:

  • <publickey> is the filename of the public key downloaded from AWS, i.e. either wrappingKey_<keyId>extracted from the ZIP file or the converted AWSPublicKey.der.

  • <wrappedkey.byok> is the filename of the wrapped CMK. Extensions .byok is a requirement for AWS.