Exports the security object as components.

  • Published on Jul 22, 2025
  • 2 minute(s) read
Prev Next
Post
/crypto/v1/keys/components/export

Exports the security object as components. This API can only be called through an approval request and won't work if called directly. This requires a key custodian policy and quorum approval policy to be set at the group level. A new approval request needs to be created (see POST /sys/v1/approval_requests), then after getting the required approvals, the key custodians can fetch the result of this approval request (See POST /sys/v1/approval_requests/:req_id/result). Each key custodian will be able to get only their component.

Only AES, DES, DES3 & HMAC objects are exportable by components.

This is described in detail in the following article: https://support.fortanix.com/hc/en-us/articles/360043559332-User-s-Guide-Key-Components

Security
HTTP
Type bearer
API Key: apiKeyAuth
Header parameter nameAuthorization
Body parameters
Expand All
object
key

Uniquely identifies a persisted or transient sobject.

OneOf
SobjectDescriptorVariantKid
object (SobjectDescriptorVariantKid)
kid
string (uuid) Required
SobjectDescriptorVariantName
object (SobjectDescriptorVariantName)
name
string Required
Max length4096
Pattern^[^\n]*[^\s\n][^\n]*$
SobjectDescriptorVariantTransientKey
object (SobjectDescriptorVariantTransientKey)
transient_key
string (byte) Required
SobjectDescriptorVariantInline
object (SobjectDescriptorVariantInline)
inline
object Required
value
string (byte) Required
obj_type
string Required

Type of security object.

Valid values[ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "EC", "KCDSA", "ECKCDSA", "BIP32", "BLS", "OPAQUE", "HMAC", "LEDABETA", "ROUND5BETA", "SECRET", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "CERTIFICATE", "PBE" ]
wrap_key_params
object
key

Uniquely identifies a persisted or transient sobject.

OneOf
SobjectDescriptorVariantKid
object (SobjectDescriptorVariantKid)
kid
string (uuid) Required
SobjectDescriptorVariantName
object (SobjectDescriptorVariantName)
name
string Required
Max length4096
Pattern^[^\n]*[^\s\n][^\n]*$
SobjectDescriptorVariantTransientKey
object (SobjectDescriptorVariantTransientKey)
transient_key
string (byte) Required
SobjectDescriptorVariantInline
object (SobjectDescriptorVariantInline)
inline
object Required
value
string (byte) Required
obj_type
string Required

Type of security object.

Valid values[ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "EC", "KCDSA", "ECKCDSA", "BIP32", "BLS", "OPAQUE", "HMAC", "LEDABETA", "ROUND5BETA", "SECRET", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "CERTIFICATE", "PBE" ]
alg
string Required

A cryptographic algorithm.

Valid values[ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "KCDSA", "EC", "ECKCDSA", "BIP32", "BLS", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "HMAC", "LEDABETA", "ROUND5BETA", "PBE" ]
mode

CipherMode or RsaEncryptionPadding, depending on the encryption algorithm.

OneOf
string
string
Valid values[ "ECB", "CBC", "CBCNOPAD", "CFB", "OFB", "CTR", "GCM", "CCM", "KW", "KWP", "FF1" ]
object
OneOf
RsaEncryptionPaddingVariantOaep
object (RsaEncryptionPaddingVariantOaep)
OAEP
object Required
mgf

Specifies the Mask Generating Function (MGF) to use.

OneOf
MgfVariantMgf1
object (MgfVariantMgf1)
mgf1
object Required
hash
string Required

A hash algorithm.

Valid values[ "BLAKE2B256", "BLAKE2B384", "BLAKE2B512", "BLAKE2S256", "RIPEMD160", "SSL3", "SHA1", "SHA224", "SHA256", "SHA384", "SHA512", "STREEBOG256", "STREEBOG512", "SHA3_224", "SHA3_256", "SHA3_384", "SHA3_512" ]
RsaEncryptionPaddingVariantPkcs1V15
object (RsaEncryptionPaddingVariantPkcs1V15)
PKCS1_V15
object Required
RsaEncryptionPaddingVariantRawDecrypt
object (RsaEncryptionPaddingVariantRawDecrypt)
RAW_DECRYPT
object Required
iv
string (byte)

Initialization vector is required for symmetric algorithms.

ad
string (byte)

Authenticated data is only applicable if mode is GCM.

tag_len
integer | null

Tag length is required when mode is GCM.

custodians
Array of object (Principal) Required

Key holder identifier

A security principal.

OneOf
PrincipalVariantApp
object (PrincipalVariantApp)
app
string (uuid) Required
PrincipalVariantUser
object (PrincipalVariantUser)
user
string (uuid) Required
PrincipalVariantPlugin
object (PrincipalVariantPlugin)
plugin
string (uuid) Required
PrincipalVariantUserViaApp
object (PrincipalVariantUserViaApp)
userviaapp
object Required
user_id
string (uuid) Required
scopes
Array of string (OauthScope) Required
string

OAuth scope.

Valid values[ "app", "openid", "email", "profile" ]
string
string
Valid values[ "system" ]
string
string
Valid values[ "unregistereduser" ]
method
string

Method used to split the key into multiple components.

Valid values[ "XOR" ]
description
string | null

Description of the exported security object

Responses
2XX

Success result

Expand All
object
components
Array of object (SobjectComponent)

Key components

object
component
string (byte)

Key component

component_kcv
string

Key component KCV

custodian

A security principal.

OneOf
PrincipalVariantApp
object (PrincipalVariantApp)
app
string (uuid)
PrincipalVariantUser
object (PrincipalVariantUser)
user
string (uuid)
PrincipalVariantPlugin
object (PrincipalVariantPlugin)
plugin
string (uuid)
PrincipalVariantUserViaApp
object (PrincipalVariantUserViaApp)
userviaapp
object
user_id
string (uuid)
scopes
Array of string (OauthScope)
string

OAuth scope.

Valid values[ "app", "openid", "email", "profile" ]
string
string
Valid values[ "system" ]
string
string
Valid values[ "unregistereduser" ]
iv
string (byte)

Initialization vector

tag
string (byte)

Tag, if required by the encryption mode.

key_kcv
string

KCV for the exported key calculated by encryption

key_kcv_cmac
string

KCV for the exported key calculated by CMAC

description
string | null

Description of the exported key