Wrap a security object with another security object.

  • Published on Jun 2, 2025
  • 1 minute(s) read
Prev Next
Post
/crypto/v1/wrapkey

Wrap (encrypt) an existing security object with a key. This allows keys to be securely exported from DSM so they can be later imported into DSM or another key management system. The key being wrapped must have the EXPORT operation enabled. The wrapping key must have the WRAPKEY operation enabled.

The following wrapping operations are supported:

  • Symmetric keys, HMAC keys, opaque objects, and secret objects may be wrapped with symmetric or asymmetric keys.
  • Asymmetric keys may be wrapped with symmetric keys. Wrapping an asymmetric key with an asymmetric key is not supported. When wrapping with an asymmetric key, the wrapped object size must fit as plaintext for the wrapping key size and algorithm.
Security
HTTP
Type bearer
API Key: apiKeyAuth
Header parameter nameAuthorization
Body parameters
Expand All
object
key
OneOf
SobjectDescriptorVariantKid
object (SobjectDescriptorVariantKid)
kid
string (uuid) Required
SobjectDescriptorVariantName
object (SobjectDescriptorVariantName)
name
string Required
Max length4096
Pattern^[^\n]*[^\s\n][^\n]*$
SobjectDescriptorVariantTransientKey
object (SobjectDescriptorVariantTransientKey)
transient_key
string (byte) Required
SobjectDescriptorVariantInline
object (SobjectDescriptorVariantInline)
inline
object Required
value
string (byte) Required
obj_type
string Required
Valid values[ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "EC", "KCDSA", "ECKCDSA", "BIP32", "BLS", "OPAQUE", "HMAC", "LEDABETA", "ROUND5BETA", "SECRET", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "CERTIFICATE", "PBE" ]
subject
OneOf
SobjectDescriptorVariantKid
object (SobjectDescriptorVariantKid)
kid
string (uuid) Required
SobjectDescriptorVariantName
object (SobjectDescriptorVariantName)
name
string Required
Max length4096
Pattern^[^\n]*[^\s\n][^\n]*$
SobjectDescriptorVariantTransientKey
object (SobjectDescriptorVariantTransientKey)
transient_key
string (byte) Required
SobjectDescriptorVariantInline
object (SobjectDescriptorVariantInline)
inline
object Required
value
string (byte) Required
obj_type
string Required
Valid values[ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "EC", "KCDSA", "ECKCDSA", "BIP32", "BLS", "OPAQUE", "HMAC", "LEDABETA", "ROUND5BETA", "SECRET", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "CERTIFICATE", "PBE" ]
kid
string (uuid) | null
alg
string Required
Valid values[ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "KCDSA", "EC", "ECKCDSA", "BIP32", "BLS", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "HMAC", "LEDABETA", "ROUND5BETA", "PBE" ]
mode
OneOf
string
string
Valid values[ "ECB", "CBC", "CBCNOPAD", "CFB", "OFB", "CTR", "GCM", "CCM", "KW", "KWP", "FF1" ]
object
OneOf
RsaEncryptionPaddingVariantOaep
object (RsaEncryptionPaddingVariantOaep)
OAEP
object Required
mgf
OneOf
MgfVariantMgf1
object (MgfVariantMgf1)
mgf1
object Required
hash
string Required
Valid values[ "BLAKE2B256", "BLAKE2B384", "BLAKE2B512", "BLAKE2S256", "RIPEMD160", "SSL3", "SHA1", "SHA224", "SHA256", "SHA384", "SHA512", "STREEBOG256", "STREEBOG512", "SHA3_224", "SHA3_256", "SHA3_384", "SHA3_512" ]
RsaEncryptionPaddingVariantPkcs1V15
object (RsaEncryptionPaddingVariantPkcs1V15)
PKCS1_V15
object Required
RsaEncryptionPaddingVariantRawDecrypt
object (RsaEncryptionPaddingVariantRawDecrypt)
RAW_DECRYPT
object Required
iv
string (byte)
ad
string (byte)
tag_len
integer | null
key_format
string
Valid values[ "Default", "Pkcs8" ]
Responses
2XX

Success result

object
wrapped_key
string (byte)
iv
string (byte)
tag
string (byte)