Wrap a security object with another security object.

  • Published on Jul 22, 2025
  • 2 minute(s) read
Prev Next
Post
/crypto/v1/wrapkey

Wrap (encrypt) an existing security object with a key. This allows keys to be securely exported from DSM so they can be later imported into DSM or another key management system. The key being wrapped must have the EXPORT operation enabled. The wrapping key must have the WRAPKEY operation enabled.

The following wrapping operations are supported:

  • Symmetric keys, HMAC keys, opaque objects, and secret objects may be wrapped with symmetric or asymmetric keys.
  • Asymmetric keys may be wrapped with symmetric keys. Wrapping an asymmetric key with an asymmetric key is not supported. When wrapping with an asymmetric key, the wrapped object size must fit as plaintext for the wrapping key size and algorithm.
Security
HTTP
Type bearer
API Key: apiKeyAuth
Header parameter nameAuthorization
Body parameters
Expand All
object
key

Uniquely identifies a persisted or transient sobject.

OneOf
SobjectDescriptorVariantKid
object (SobjectDescriptorVariantKid)
kid
string (uuid) Required
SobjectDescriptorVariantName
object (SobjectDescriptorVariantName)
name
string Required
Max length4096
Pattern^[^\n]*[^\s\n][^\n]*$
SobjectDescriptorVariantTransientKey
object (SobjectDescriptorVariantTransientKey)
transient_key
string (byte) Required
SobjectDescriptorVariantInline
object (SobjectDescriptorVariantInline)
inline
object Required
value
string (byte) Required
obj_type
string Required

Type of security object.

Valid values[ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "EC", "KCDSA", "ECKCDSA", "BIP32", "BLS", "OPAQUE", "HMAC", "LEDABETA", "ROUND5BETA", "SECRET", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "CERTIFICATE", "PBE" ]
subject

Uniquely identifies a persisted or transient sobject.

OneOf
SobjectDescriptorVariantKid
object (SobjectDescriptorVariantKid)
kid
string (uuid) Required
SobjectDescriptorVariantName
object (SobjectDescriptorVariantName)
name
string Required
Max length4096
Pattern^[^\n]*[^\s\n][^\n]*$
SobjectDescriptorVariantTransientKey
object (SobjectDescriptorVariantTransientKey)
transient_key
string (byte) Required
SobjectDescriptorVariantInline
object (SobjectDescriptorVariantInline)
inline
object Required
value
string (byte) Required
obj_type
string Required

Type of security object.

Valid values[ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "EC", "KCDSA", "ECKCDSA", "BIP32", "BLS", "OPAQUE", "HMAC", "LEDABETA", "ROUND5BETA", "SECRET", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "CERTIFICATE", "PBE" ]
kid
string (uuid) | null

ID of the sobject to be wrapped. (This is a legacy field, mutually exclusive with subject).

alg
string Required

A cryptographic algorithm.

Valid values[ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "KCDSA", "EC", "ECKCDSA", "BIP32", "BLS", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "HMAC", "LEDABETA", "ROUND5BETA", "PBE" ]
mode

CipherMode or RsaEncryptionPadding, depending on the encryption algorithm.

OneOf
string
string
Valid values[ "ECB", "CBC", "CBCNOPAD", "CFB", "OFB", "CTR", "GCM", "CCM", "KW", "KWP", "FF1" ]
object
OneOf
RsaEncryptionPaddingVariantOaep
object (RsaEncryptionPaddingVariantOaep)
OAEP
object Required
mgf

Specifies the Mask Generating Function (MGF) to use.

OneOf
MgfVariantMgf1
object (MgfVariantMgf1)
mgf1
object Required
hash
string Required

A hash algorithm.

Valid values[ "BLAKE2B256", "BLAKE2B384", "BLAKE2B512", "BLAKE2S256", "RIPEMD160", "SSL3", "SHA1", "SHA224", "SHA256", "SHA384", "SHA512", "STREEBOG256", "STREEBOG512", "SHA3_224", "SHA3_256", "SHA3_384", "SHA3_512" ]
RsaEncryptionPaddingVariantPkcs1V15
object (RsaEncryptionPaddingVariantPkcs1V15)
PKCS1_V15
object Required
RsaEncryptionPaddingVariantRawDecrypt
object (RsaEncryptionPaddingVariantRawDecrypt)
RAW_DECRYPT
object Required
iv
string (byte)

The initialization vector to use. This is only applicable to modes that take IVs, and will be randomly generated if not specified.

ad
string (byte)

The authenticated data to use. This is only applicable when using authenticated encryption modes (i.e., GCM or CCM).

tag_len
integer | null

The length of the authentication tag, in bits, for authenticated encryption modes (i.e., GCM or CCM). For other modes, this field is irrelevant.

key_format
string

Key Format

Valid values[ "Default", "Pkcs8" ]
Responses
2XX

Success result

object
wrapped_key
string (byte)

The wrapped key blob

iv
string (byte)

The initialization vector used during encryption. This is only applicable for certain symmetric encryption modes.

tag
string (byte)

The authenticated tag returned from authenticated encryption (i.e., using GCM or CCM mode). For other modes, this field is not applicable.