This operation unwraps (decrypts) a wrapped key and import into Fortanix DSM. This allows securely importing into Fortanix DSM security objects that were previously wrapped by Fortanix DSM or another key management system. A new security object will be created in Fortanix DSM with the unwrapped data.
The
Alg
andMode
parameters specify the encryption algorithm and cipher mode being used by the unwrapping key (See Encryption Section).The
ObjectType
parameter specifies the object type of the Security-object being unwrapped. The size or elliptic curve of the object being unwrapped does not need to be specified.
Go
newKeyName := "new AES Key"
unwrapKeyReq := sdkms.UnwrapKeyRequest {
Name: &newKeyName,
Alg: sdkms.AlgorithmRsa // Unwrapping key type
ObjType: sdkms.AlgorithmAes,
WrappedKey: new byte[](<wrapped key in bytes>),
}
unwrapKeyResp, err := client.Unwrap(ctx, unwrapKeyReq)
Java
// Unwrap an AES key that is wrapped with an RSA key
UnwrapKeyRequest unwrapRequest = new UnwrapKeyRequest()
.ObjType(ObjectType.AES)
.name("new AES key")
.wrappedKey(<wrapped key in bytes>)
.alg(ObjectType.RSA); // Unwrapping key type
KeyObject unwrappedKey = new WrappingAndUnwrappingApi(apiClient)
.unwrapKey(<UUID of the unwrapping key>, unwrapRequest);
Python
#Unwrap an AES key that is wrapped with an RSA key
api_instance = sdkms.v1.WrappingAndUnwrappingApi(api_client=client)
request = sdkms.v1.UnwrapKeyRequest(
alg=ObjectType.RSA, // Unwrapping Key Type
obj_type=ObjectType.AES,
wrapped_key=<wrapped key in bytes>
name="new AES KEY")
wrapping_response = api_instance
.unwrap_key(<UUID of the unwrapping key, request)
REST API using curl
$ curl <Endpoint URL>/crypto/v1/unwrapkey -H 'Authorization: Bearer YhXwwa-6C...ig5g' -d '{"key": {"kid": "Unwrapping-Key-UUID"}, "alg": "RSA", "obj_type": "AES", "wrapped_key": "YiBmal…ZyB1eXZpZyB2ZQoK", "name": "new AES Key"}'