---
title: "Unwrapping a Key"
slug: "unwrapping-a-key"
updated: 2024-12-10T18:07:28Z
published: 2024-12-10T18:07:28Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Unwrapping a Key

This operation unwraps (decrypts) a wrapped key and import into Fortanix DSM. This allows securely importing into Fortanix DSM security objects that were previously wrapped by Fortanix DSM or another key management system. A new security object will be created in Fortanix DSM with the unwrapped data.

- The `Alg` and `Mode` parameters specify the encryption algorithm and cipher mode being used by the unwrapping key (See Encryption Section).
- The `ObjectType` parameter specifies the object type of the Security-object being unwrapped. The size or elliptic curve of the object being unwrapped does not need to be specified.

- [Go](/docs/unwrapping-a-key#tabs-1)
- [Java](/docs/unwrapping-a-key#tabs-2)
- [Python](/docs/unwrapping-a-key#tabs-3)
- [REST API using curl](/docs/unwrapping-a-key#tabs-4)

### Go

```bash
newKeyName := "new AES Key"
unwrapKeyReq := sdkms.UnwrapKeyRequest {
           Name: &newKeyName,
           Alg: sdkms.AlgorithmRsa // Unwrapping key type
           ObjType: sdkms.AlgorithmAes,
           WrappedKey: new byte[](<wrapped key in bytes>),
}
unwrapKeyResp, err := client.Unwrap(ctx, unwrapKeyReq)
```

### Java

```bash
// Unwrap an AES key that is wrapped with an RSA key
UnwrapKeyRequest unwrapRequest = new UnwrapKeyRequest()
              .ObjType(ObjectType.AES)
              .name("new AES key")
              .wrappedKey(<wrapped key in bytes>)
              .alg(ObjectType.RSA); // Unwrapping key type
              
KeyObject unwrappedKey = new WrappingAndUnwrappingApi(apiClient)
       .unwrapKey(<UUID of the unwrapping key>, unwrapRequest);
```

### Python

```bash
#Unwrap an AES key that is wrapped with an RSA key
api_instance = sdkms.v1.WrappingAndUnwrappingApi(api_client=client)
request = sdkms.v1.UnwrapKeyRequest(
      alg=ObjectType.RSA, // Unwrapping Key Type
      obj_type=ObjectType.AES,
      wrapped_key=<wrapped key in bytes>
      name="new AES KEY") 
wrapping_response = api_instance
        .unwrap_key(<UUID of the unwrapping key, request)
```

### REST API using curl

```bash
$ curl <Endpoint URL>/crypto/v1/unwrapkey -H 'Authorization: Bearer YhXwwa-6C...ig5g' -d '{"key": {"kid": "Unwrapping-Key-UUID"}, "alg": "RSA", "obj_type": "AES", "wrapped_key": "YiBmal…ZyB1eXZpZyB2ZQoK", "name": "new AES Key"}'
```

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.

A security object is any datum stored in DSM (for example a key, a certificate, a password, or other security objects). Each security object is assigned to exactly one group. users and applications assigned to the group have permission to see the security object and to perform operations on it.

## Related

- [Exporting a Security Object](/exporting-a-security-object.md)
- [Command-Line Interface (CLI) for Fortanix DSM (sdkms-cli)](/clients-command-line-interface-cli-for-fortanix-data-security-manager.md)