Unwrapping a Key

This operation unwraps (decrypts) a wrapped key and import into Fortanix DSM. This allows securely importing into Fortanix DSM security objects that were previously wrapped by Fortanix DSM or another key management system. A new security object will be created in Fortanix DSM with the unwrapped data. 

  • The Alg and Mode parameters specify the encryption algorithm and cipher mode being used by the unwrapping key (See Encryption Section).
  • The ObjectType parameter specifies the object type of the security object being unwrapped. The size or elliptic curve of the object being unwrapped does not need to be specified.


newKeyName := "new AES Key"
unwrapKeyReq := sdkms.UnwrapKeyRequest { Name: &newKeyName, Alg: sdkms.AlgorithmRsa // Unwrapping key type ObjType: sdkms.AlgorithmAes, WrappedKey: new byte[](<wrapped key in bytes>), } unwrapKeyResp, err := client.Unwrap(ctx, unwrapKeyReq)


// Unwrap an AES key that is wrapped with an RSA key
UnwrapKeyRequest unwrapRequest = new UnwrapKeyRequest()
              .name("new AES key")
              .wrappedKey(<wrapped key in bytes>)
              .alg(ObjectType.RSA); // Unwrapping key type
KeyObject unwrappedKey = new WrappingAndUnwrappingApi(apiClient)
       .unwrapKey(<UUID of the unwrapping key>, unwrapRequest);


#Unwrap an AES key that is wrapped with an RSA key
api_instance = sdkms.v1.WrappingAndUnwrappingApi(api_client=client)
request = sdkms.v1.UnwrapKeyRequest(
      alg=ObjectType.RSA, // Unwrapping Key Type
      wrapped_key=<wrapped key in bytes>
      name="new AES KEY") 
wrapping_response = api_instance
        .unwrap_key(<UUID of the unwrapping key, request)

REST API using curl

$ curl <Endpoint URL>/crypto/v1/unwrapkey -H 'Authorization: Bearer YhXwwa-6C...ig5g' -d '{"key": {"kid": "Unwrapping-Key-UUID"}, "alg": "RSA", "obj_type": "AES", "wrapped_key": "YiBmal…ZyB1eXZpZyB2ZQoK", "name": "new AES Key"}'



Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful