---
title: "Wrapping Security Objects"
slug: "wrapping-security-objects"
updated: 2025-07-22T13:21:02Z
published: 2025-07-22T13:21:02Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Wrapping Security Objects

## 1.0 Overview

The Fortanix-Data-Security-Manager (DSM) can export security objects (keys) by wrapping (encrypting) them.

## 2.0 Prerequisites

Wrapping security objects requires a Fortanix DSM account, a group, and a user or application configured in that group. *For more information, refer to the*[*User's Guide: Getting Started with Fortanix Data Security Manager - UI*](/v1/docs/users-guide-getting-started-with-fortanix-data-security-manager-ui)*.*The key being used to wrap must have the WrapKey operation enabled, and the key being wrapped must have the Export operation enabled.

## 3.0 Authorization and Configuration

You must first authenticate and optionally configure a default API client as described in [*Configure API Client and Client Authentication*](/v1/docs/configure-api-client-and-client-authentication). You may authenticate as a user or as an app. Both users and applications may wrap security objects.

## 4.0 Create a WrappingAndUnwrappingApi Client Object

Wrapping keys is performed with a WrappingAndUnwrappingApi object.

```bash
import com.fortanix.sdkms.v1.api.WrappingAndUnwrappingApi;

WrappingAndUnwrapping wrappingApi = new WrappingAndUnwrappingApi();
```

## 5.0 Construct a WrapKeyRequest Object

The `WrapKeyRequest` object defines what key will be wrapped and how it will be wrapped. The `alg` (encryption algorithm) and `kid` (key ID) properties are required. `alg` must be the encryption algorithm of the key that will be doing the wrapping (which is specified in the call to wrapKey and not in the `WrapKeyRequest` object). The `kid` property specifies what key will be wrapped (exported).

The mode, iv, tagLen, and ad properties are either ignored, optional, or required, depending on the encryption algorithm of the wrapping key and selected block cipher mode (if symmetric cryptography is used). *For more information on these parameters, refer to*[*Public Key Cryptography*](/v1/docs/public-key-cryptography)*and*[*Symmetric Cryptography*](/v1/docs/symmetric-cryptography)*.*

The [*list of supported cryptographic algorithms and key sizes*](/v1/docs/algorithm-support) is in the Fortanix DSM Developer’s Guide.

For example, to wrap using an RSA key:

```bash
import com.fortanix.sdkms.v1.model.ObjectType;
import com.fortanix.sdkms.v1.model.WrapKeyRequest;

WrapKeyRequest wrapRequest = new WrapKeyRequest().objType(ObjectType.RSA).kid(<UUID of key to be wrapped);
```

For example, to wrap using an AES key in GCM mode:

```bash
import com.fortanix.sdkms.v1.model.CipherMode;
import com.fortanix.sdkms.v1.model.ObjectType;
import com.fortanix.sdkms.v1.model.WrapKeyRequest;

WrapKeyRequest wrapRequest = new WrapKeyRequest().objType(ObjectType.AES).mode(CipherMode.GCM).tagLen(128).kid(<UUID of key to be wrapped>);
```

## 6.0 Make the WrapKey Call

Wrapping is performed with the `wrapKey()` method of WrappingAndUnwrappingApi. The wrapped key is returned as the `wrappedKey` property of the `WrapKeyResponse` object.

```bash
import com.fortanix.sdkms.v1.model.WrapKeyResponse;

WrapKeyResponse wrapResponse = wrappingApi.wrapKey(<UUID of the key being used to wrap>, wrapRequest);
byte[] wrappedKey = wrapResponse.getWrappedKey();
```

Depending on the encryption algorithm and cipher mode used to wrap the key, you may also need the iv and tag properties of the WrapKeyResponse object in order to be able to later unwrap the key.

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.

## Related

- [Deleting Security Objects](/deleting-security-objects.md)
- [Fortanix DSM SDK Contents](/fortanix-data-security-manager-sdk-contents.md)