Wrap (encrypt) an existing security object with a key. This allows keys to be
securely exported from DSM so they can be later imported into DSM or
another key management system.
The key being wrapped must have the EXPORT
operation enabled. The wrapping key
must have the WRAPKEY
operation enabled.
The following wrapping operations are supported:
- Symmetric keys, HMAC keys, opaque objects, and secret objects may be wrapped with symmetric or asymmetric keys.
- Asymmetric keys may be wrapped with symmetric keys. Wrapping an asymmetric key with an asymmetric key is not supported. When wrapping with an asymmetric key, the wrapped object size must fit as plaintext for the wrapping key size and algorithm.
Uniquely identifies a persisted or transient sobject.
Type of security object.
Uniquely identifies a persisted or transient sobject.
Type of security object.
ID of the sobject to be wrapped. (This is a legacy field,
mutually exclusive with subject
).
A cryptographic algorithm.
CipherMode
or RsaEncryptionPadding
, depending on the encryption algorithm.
Specifies the Mask Generating Function (MGF) to use.
A hash algorithm.
The initialization vector to use. This is only applicable to modes that take IVs, and will be randomly generated if not specified.
The authenticated data to use. This is only applicable when using authenticated encryption modes (i.e., GCM or CCM).
The length of the authentication tag, in bits, for authenticated encryption modes (i.e., GCM or CCM). For other modes, this field is irrelevant.
Key Format
Success result
The wrapped key blob
The initialization vector used during encryption. This is only applicable for certain symmetric encryption modes.
The authenticated tag returned from authenticated encryption (i.e., using GCM or CCM mode). For other modes, this field is not applicable.