Symmetric keys and public keys can be used to encrypt data. Only the user identified by the --hsm-admin argument or a user granted the Encrypt operation (by the HSM admin) can encrypt data with keys stored in the HSM.
For symmetric keys, only AES GCM is supported. CKM_RSA_PKCS_OAEP and the now deprecated but still widely used CKM_RSA_PKCS (v1.5) are supported for RSA keys. The hashing algorithm is fixed to SHA256.
When using RSA, the maximum message size in bytes is:
-
PKCS#1 v1.5: (key size in bits / 8) - 11
-
OAEP: (key size in bits / 8) - 66
To encrypt a message with the public key hsm::4::my_rsa_key_pk and the CKM RSA PKCS OAEP algorithm, the following command can be used:
❯ cosmian kms rsa encrypt --key-id hsm::4::my_rsa_key_pk --encryption-algorithm ckm-rsa-pkcs-oaep \
/tmp/secret.txt
The encrypted file is available at /tmp/secret.enc
To encrypt a message using AES GCM with the symmetric key hsm::4::my_aes_key, the following command can be used:
❯ cosmian kms sym encrypt --key-id hsm::4::my_aes_key --data-encryption-algorithm aes-gcm /tmp/secret.txt
The encrypted file is available at /tmp/secret.enc