> ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # Exports the security object as components. > Exports the security object as components. This API can only be called through an approval request and won't work if called directly. This requires a key custodian policy and quorum approval policy to be set at the group level. A new approval request needs to be created (see `POST /sys/v1/approval_requests`), then after getting the required approvals, the key custodians can fetch the result of this approval request (See `POST /sys/v1/approval_requests/:req_id/result`). Each key custodian will be able to get only their component. Only AES, DES, DES3 & HMAC objects are exportable by components. This is described in detail in the following article: https://support.fortanix.com/hc/en-us/articles/360043559332-User-s-Guide-Key-Components ## OpenAPI ````json POST /crypto/v1/keys/components/export { "openapi": "3.0.0", "info": { "title": "Fortanix DSM REST API", "description": "This is a set of REST APIs for accessing the Fortanix Data Security Manager. This includes APIs for managing accounts, and for performing cryptographic and key management operations. \n\n **Note:** \n- All binary input should be base64-encoded. These fields are marked with `format: byte`. \n- For forward compatibility, any API client is expected to ignore any fields in the response not explicitly mentioned in the documentation. We reserve the right to add new fields at any time to provide new functionality without affecting existing API clients.", "termsOfService": "https://www.fortanix.com/legal/terms/", "contact": { "name": "Fortanix Support", "url": "https://support.fortanix.com/", "email": "support@fortanix.com" }, "license": { "name": "Apache 2.0", "url": "http://www.apache.org/licenses/LICENSE-2.0.html" }, "version": "0.1.0-20260526" }, "servers": [ { "url": "https://amer.smartkey.io" } ], "paths": { "/crypto/v1/keys/components/export": { "post": { "operationId": "ExportSobjectComponents", "tags": [ "Keys" ], "security": [ { "bearerToken": [] }, { "apiKeyAuth": [] } ], "summary": "Exports the security object as components.", "description": "Exports the security object as components. This API can only be called\nthrough an approval request and won't work if called directly. This\nrequires a key custodian policy and quorum approval policy to be set at\nthe group level. A new approval request needs to be created (see\n`POST /sys/v1/approval_requests`), then after getting the required approvals,\nthe key custodians can fetch the result of this approval request\n(See `POST /sys/v1/approval_requests/:req_id/result`).\nEach key custodian will be able to get only their component.\n\nOnly AES, DES, DES3 & HMAC objects are exportable by components.\n\nThis is described in detail in the following article:\nhttps://support.fortanix.com/hc/en-us/articles/360043559332-User-s-Guide-Key-Components", "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ExportSobjectComponentsRequest" } } } }, "responses": { "2XX": { "description": "Success result", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ExportComponentsResponse" } } } } } } } }, "components": { "schemas": { "ExportSobjectComponentsRequest": { "allOf": [ { "type": "object", "description": "Request to Export a security object by components", "properties": { "key": { "$ref": "#/components/schemas/SobjectDescriptor" }, "wrap_key_params": { "$ref": "#/components/schemas/WrapKeyParams" }, "custodians": { "type": "array", "items": { "$ref": "#/components/schemas/Principal" }, "description": "Key holder identifier" }, "method": { "$ref": "#/components/schemas/SplittingMethod" }, "description": { "type": "string", "nullable": true, "description": "Description of the exported security object" } }, "required": [ "key", "custodians" ] } ] }, "ExportComponentsResponse": { "allOf": [ { "type": "object", "description": "Export security object by components response.", "properties": { "components": { "type": "array", "items": { "$ref": "#/components/schemas/SobjectComponent" }, "description": "Key components" }, "iv": { "type": "string", "format": "byte", "description": "Initialization vector" }, "tag": { "type": "string", "format": "byte", "description": "Tag, if required by the encryption mode." }, "key_kcv": { "type": "string", "description": "KCV for the exported key calculated by encryption" }, "key_kcv_cmac": { "type": "string", "description": "KCV for the exported key calculated by CMAC" }, "description": { "type": "string", "nullable": true, "description": "Description of the exported key" } }, "required": [ "components" ] } ] }, "SobjectDescriptor": { "description": "Uniquely identifies a persisted or transient sobject.", "oneOf": [ { "title": "SobjectDescriptorVariantKid", "type": "object", "properties": { "kid": { "type": "string", "format": "uuid" } }, "required": [ "kid" ] }, { "title": "SobjectDescriptorVariantName", "type": "object", "properties": { "name": { "type": "string", "maxLength": 4096, "pattern": "^[^\\n]*[^\\s\\n][^\\n]*$" } }, "required": [ "name" ] }, { "title": "SobjectDescriptorVariantTransientKey", "type": "object", "properties": { "transient_key": { "type": "string", "format": "byte" } }, "required": [ "transient_key" ] }, { "title": "SobjectDescriptorVariantInline", "type": "object", "properties": { "inline": { "$ref": "#/components/schemas/SobjectDescriptorInline" } }, "required": [ "inline" ] } ] }, "WrapKeyParams": { "allOf": [ { "type": "object", "description": "Wrapping key parameters", "properties": { "key": { "$ref": "#/components/schemas/SobjectDescriptor" }, "alg": { "$ref": "#/components/schemas/Algorithm" }, "mode": { "$ref": "#/components/schemas/CryptMode" }, "iv": { "type": "string", "format": "byte", "description": "Initialization vector is required for symmetric algorithms." }, "ad": { "type": "string", "format": "byte", "description": "Authenticated data is only applicable if mode is GCM." }, "tag_len": { "type": "integer", "nullable": true, "description": "Tag length is required when mode is GCM." } }, "required": [ "key", "alg" ] } ] }, "Principal": { "description": "A security principal.", "oneOf": [ { "title": "PrincipalVariantApp", "type": "object", "properties": { "app": { "type": "string", "format": "uuid" } }, "required": [ "app" ] }, { "title": "PrincipalVariantUser", "type": "object", "properties": { "user": { "type": "string", "format": "uuid" } }, "required": [ "user" ] }, { "title": "PrincipalVariantPlugin", "type": "object", "properties": { "plugin": { "type": "string", "format": "uuid" } }, "required": [ "plugin" ] }, { "title": "PrincipalVariantUserViaApp", "type": "object", "properties": { "userviaapp": { "$ref": "#/components/schemas/PrincipalUserViaApp" } }, "required": [ "userviaapp" ] }, { "title": "PrincipalVariantSystem", "type": "string", "enum": [ "system" ] }, { "title": "PrincipalVariantUnregisteredUser", "type": "string", "enum": [ "unregistereduser" ] } ] }, "SplittingMethod": { "description": "Method used to split the key into multiple components.", "type": "string", "enum": [ "XOR" ] }, "SobjectComponent": { "allOf": [ { "type": "object", "description": "Component of security object, held by a custodian.", "properties": { "component": { "type": "string", "format": "byte", "description": "Key component" }, "component_kcv": { "type": "string", "description": "Key component KCV" }, "custodian": { "$ref": "#/components/schemas/Principal" } }, "required": [ "component", "custodian" ] } ] }, "SobjectDescriptorInline": { "allOf": [ { "type": "object", "properties": { "value": { "type": "string", "format": "byte" }, "obj_type": { "$ref": "#/components/schemas/ObjectType" } }, "required": [ "value", "obj_type" ] } ] }, "Algorithm": { "description": "A cryptographic algorithm.", "type": "string", "enum": [ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "KCDSA", "EC", "ECKCDSA", "BIP32", "SLIP10", "BLS", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "HMAC", "LEDABETA", "ROUND5BETA", "PBE" ] }, "CryptMode": { "description": "`CipherMode` or `RsaEncryptionPadding`, depending on the encryption algorithm.", "oneOf": [ { "$ref": "#/components/schemas/CipherMode" }, { "$ref": "#/components/schemas/RsaEncryptionPadding" } ] }, "PrincipalUserViaApp": { "allOf": [ { "type": "object", "description": "UserViaApp signifies a user authorizing some app to act on its behalf through OAuth.", "properties": { "user_id": { "type": "string", "format": "uuid" }, "scopes": { "type": "array", "uniqueItems": true, "items": { "$ref": "#/components/schemas/OauthScope" } } }, "required": [ "user_id", "scopes" ] } ] }, "ObjectType": { "description": "Type of security object.", "type": "string", "enum": [ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "EC", "KCDSA", "ECKCDSA", "BIP32", "SLIP10", "BLS", "OPAQUE", "HMAC", "LEDABETA", "ROUND5BETA", "SECRET", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "CERTIFICATE", "PBE" ] }, "CipherMode": { "description": "Cipher mode used for symmetric key algorithms.", "type": "string", "enum": [ "ECB", "CBC", "CBCNOPAD", "CFB", "OFB", "CTR", "GCM", "CCM", "KW", "KWP", "FF1" ] }, "RsaEncryptionPadding": { "description": "Type of padding to use for RSA encryption. The use of PKCS#1 v1.5 padding is strongly\ndiscouraged, because of its susceptibility to Bleichenbacher's attack. The padding specified\nmust adhere to the key's encryption policy. If not specified, the default based on the key's\npolicy will be used.", "oneOf": [ { "title": "RsaEncryptionPaddingVariantOaep", "type": "object", "properties": { "OAEP": { "$ref": "#/components/schemas/RsaEncryptionPaddingOaep" } }, "required": [ "OAEP" ] }, { "title": "RsaEncryptionPaddingVariantPkcs1V15", "type": "object", "properties": { "PKCS1_V15": { "type": "object", "properties": {} } }, "required": [ "PKCS1_V15" ] }, { "title": "RsaEncryptionPaddingVariantRawDecrypt", "type": "object", "properties": { "RAW_DECRYPT": { "type": "object", "properties": {} } }, "required": [ "RAW_DECRYPT" ] } ] }, "OauthScope": { "description": "OAuth scope.", "type": "string", "enum": [ "app", "openid", "email", "profile" ] }, "RsaEncryptionPaddingOaep": { "allOf": [ { "type": "object", "description": "Optimal Asymmetric Encryption Padding (PKCS#1 v2.1).", "properties": { "mgf": { "$ref": "#/components/schemas/Mgf" } }, "required": [ "mgf" ] } ] }, "Mgf": { "description": "Specifies the Mask Generating Function (MGF) to use.", "oneOf": [ { "title": "MgfVariantMgf1", "type": "object", "properties": { "mgf1": { "$ref": "#/components/schemas/MgfMgf1" } }, "required": [ "mgf1" ] } ] }, "MgfMgf1": { "allOf": [ { "type": "object", "description": "MGF1 algorithm", "properties": { "hash": { "$ref": "#/components/schemas/DigestAlgorithm" } }, "required": [ "hash" ] } ] }, "DigestAlgorithm": { "description": "A hash algorithm.", "type": "string", "enum": [ "BLAKE2B256", "BLAKE2B384", "BLAKE2B512", "BLAKE2S256", "RIPEMD160", "SSL3", "SHA1", "SHA224", "SHA256", "SHA384", "SHA512", "STREEBOG256", "STREEBOG512", "SHA3_224", "SHA3_256", "SHA3_384", "SHA3_512" ] } } } } ````