> ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # Wrap a security object with another security object. > Wrap (encrypt) an existing security object with a key. This allows keys to be securely exported from DSM so they can be later imported into DSM or another key management system. The key being wrapped must have the `EXPORT` operation enabled. The wrapping key must have the `WRAPKEY` operation enabled. The following wrapping operations are supported: * Symmetric keys, HMAC keys, opaque objects, and secret objects may be wrapped with symmetric or asymmetric keys. * Asymmetric keys may be wrapped with symmetric keys. Wrapping an asymmetric key with an asymmetric key is not supported. When wrapping with an asymmetric key, the wrapped object size must fit as plaintext for the wrapping key size and algorithm. ## OpenAPI ````json POST /crypto/v1/wrapkey { "openapi": "3.0.0", "info": { "title": "Fortanix DSM REST API", "description": "This is a set of REST APIs for accessing the Fortanix Data Security Manager. This includes APIs for managing accounts, and for performing cryptographic and key management operations. \n\n **Note:** \n- All binary input should be base64-encoded. These fields are marked with `format: byte`. \n- For forward compatibility, any API client is expected to ignore any fields in the response not explicitly mentioned in the documentation. We reserve the right to add new fields at any time to provide new functionality without affecting existing API clients.", "termsOfService": "https://www.fortanix.com/legal/terms/", "contact": { "name": "Fortanix Support", "url": "https://support.fortanix.com/", "email": "support@fortanix.com" }, "license": { "name": "Apache 2.0", "url": "http://www.apache.org/licenses/LICENSE-2.0.html" }, "version": "0.1.0-20260526" }, "servers": [ { "url": "https://amer.smartkey.io" } ], "paths": { "/crypto/v1/wrapkey": { "post": { "operationId": "Wrap", "tags": [ "Crypto" ], "security": [ { "bearerToken": [] }, { "apiKeyAuth": [] } ], "summary": "Wrap a security object with another security object.", "description": "Wrap (encrypt) an existing security object with a key. This allows keys to be\nsecurely exported from DSM so they can be later imported into DSM or\nanother key management system.\nThe key being wrapped must have the `EXPORT` operation enabled. The wrapping key\nmust have the `WRAPKEY` operation enabled.\n\nThe following wrapping operations are supported:\n* Symmetric keys, HMAC keys, opaque objects, and secret objects may be wrapped\nwith symmetric or asymmetric keys.\n* Asymmetric keys may be wrapped with symmetric keys. Wrapping an asymmetric\nkey with an asymmetric key is not supported.\nWhen wrapping with an asymmetric key, the wrapped object size must fit as\nplaintext for the wrapping key size and algorithm.", "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/WrapKeyRequest" } } } }, "responses": { "2XX": { "description": "Success result", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/WrapKeyResponse" } } } } } } } }, "components": { "schemas": { "WrapKeyRequest": { "allOf": [ { "type": "object", "description": "Request to wrap an sobject with another sobject.", "properties": { "key": { "$ref": "#/components/schemas/SobjectDescriptor" }, "subject": { "$ref": "#/components/schemas/SobjectDescriptor" }, "kid": { "type": "string", "format": "uuid", "nullable": true, "description": "ID of the sobject to be wrapped. (This is a legacy field,\nmutually exclusive with `subject`)." }, "alg": { "$ref": "#/components/schemas/Algorithm" }, "mode": { "$ref": "#/components/schemas/CryptMode" }, "iv": { "type": "string", "format": "byte", "description": "The initialization vector to use. This is only applicable to modes\nthat take IVs, and will be randomly generated if not specified." }, "ad": { "type": "string", "format": "byte", "description": "The authenticated data to use. This is only applicable when using\nauthenticated encryption modes (i.e., GCM or CCM)." }, "tag_len": { "type": "integer", "nullable": true, "description": "The length of the authentication tag, in bits, for authenticated\nencryption modes (i.e., GCM or CCM). For other modes, this field\nis irrelevant." }, "key_format": { "$ref": "#/components/schemas/KeyFormat" } }, "required": [ "alg" ] } ] }, "WrapKeyResponse": { "allOf": [ { "type": "object", "description": "Result of a key wrapping request.", "properties": { "wrapped_key": { "type": "string", "format": "byte", "description": "The wrapped key blob" }, "iv": { "type": "string", "format": "byte", "description": "The initialization vector used during encryption. This is only\napplicable for certain symmetric encryption modes." }, "tag": { "type": "string", "format": "byte", "description": "The authenticated tag returned from authenticated encryption\n(i.e., using GCM or CCM mode). For other modes, this field is\nnot applicable." } }, "required": [ "wrapped_key" ] } ] }, "SobjectDescriptor": { "description": "Uniquely identifies a persisted or transient sobject.", "oneOf": [ { "title": "SobjectDescriptorVariantKid", "type": "object", "properties": { "kid": { "type": "string", "format": "uuid" } }, "required": [ "kid" ] }, { "title": "SobjectDescriptorVariantName", "type": "object", "properties": { "name": { "type": "string", "maxLength": 4096, "pattern": "^[^\\n]*[^\\s\\n][^\\n]*$" } }, "required": [ "name" ] }, { "title": "SobjectDescriptorVariantTransientKey", "type": "object", "properties": { "transient_key": { "type": "string", "format": "byte" } }, "required": [ "transient_key" ] }, { "title": "SobjectDescriptorVariantInline", "type": "object", "properties": { "inline": { "$ref": "#/components/schemas/SobjectDescriptorInline" } }, "required": [ "inline" ] } ] }, "Algorithm": { "description": "A cryptographic algorithm.", "type": "string", "enum": [ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "KCDSA", "EC", "ECKCDSA", "BIP32", "SLIP10", "BLS", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "HMAC", "LEDABETA", "ROUND5BETA", "PBE" ] }, "CryptMode": { "description": "`CipherMode` or `RsaEncryptionPadding`, depending on the encryption algorithm.", "oneOf": [ { "$ref": "#/components/schemas/CipherMode" }, { "$ref": "#/components/schemas/RsaEncryptionPadding" } ] }, "KeyFormat": { "description": "Key Format", "type": "string", "enum": [ "Default", "Pkcs8" ] }, "SobjectDescriptorInline": { "allOf": [ { "type": "object", "properties": { "value": { "type": "string", "format": "byte" }, "obj_type": { "$ref": "#/components/schemas/ObjectType" } }, "required": [ "value", "obj_type" ] } ] }, "CipherMode": { "description": "Cipher mode used for symmetric key algorithms.", "type": "string", "enum": [ "ECB", "CBC", "CBCNOPAD", "CFB", "OFB", "CTR", "GCM", "CCM", "KW", "KWP", "FF1" ] }, "RsaEncryptionPadding": { "description": "Type of padding to use for RSA encryption. The use of PKCS#1 v1.5 padding is strongly\ndiscouraged, because of its susceptibility to Bleichenbacher's attack. The padding specified\nmust adhere to the key's encryption policy. If not specified, the default based on the key's\npolicy will be used.", "oneOf": [ { "title": "RsaEncryptionPaddingVariantOaep", "type": "object", "properties": { "OAEP": { "$ref": "#/components/schemas/RsaEncryptionPaddingOaep" } }, "required": [ "OAEP" ] }, { "title": "RsaEncryptionPaddingVariantPkcs1V15", "type": "object", "properties": { "PKCS1_V15": { "type": "object", "properties": {} } }, "required": [ "PKCS1_V15" ] }, { "title": "RsaEncryptionPaddingVariantRawDecrypt", "type": "object", "properties": { "RAW_DECRYPT": { "type": "object", "properties": {} } }, "required": [ "RAW_DECRYPT" ] } ] }, "ObjectType": { "description": "Type of security object.", "type": "string", "enum": [ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "EC", "KCDSA", "ECKCDSA", "BIP32", "SLIP10", "BLS", "OPAQUE", "HMAC", "LEDABETA", "ROUND5BETA", "SECRET", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "CERTIFICATE", "PBE" ] }, "RsaEncryptionPaddingOaep": { "allOf": [ { "type": "object", "description": "Optimal Asymmetric Encryption Padding (PKCS#1 v2.1).", "properties": { "mgf": { "$ref": "#/components/schemas/Mgf" } }, "required": [ "mgf" ] } ] }, "Mgf": { "description": "Specifies the Mask Generating Function (MGF) to use.", "oneOf": [ { "title": "MgfVariantMgf1", "type": "object", "properties": { "mgf1": { "$ref": "#/components/schemas/MgfMgf1" } }, "required": [ "mgf1" ] } ] }, "MgfMgf1": { "allOf": [ { "type": "object", "description": "MGF1 algorithm", "properties": { "hash": { "$ref": "#/components/schemas/DigestAlgorithm" } }, "required": [ "hash" ] } ] }, "DigestAlgorithm": { "description": "A hash algorithm.", "type": "string", "enum": [ "BLAKE2B256", "BLAKE2B384", "BLAKE2B512", "BLAKE2S256", "RIPEMD160", "SSL3", "SHA1", "SHA224", "SHA256", "SHA384", "SHA512", "STREEBOG256", "STREEBOG512", "SHA3_224", "SHA3_256", "SHA3_384", "SHA3_512" ] } } } } ````