Wrap an RSA key with an AES key using sdkms-cli

sdkms-cli --api-endpoint sdkms.fortanix.com wrap-key --kid 7e86c075-8df8-4ac1-a810-67752afe3b0e --alg AES --mode CBC --wrapping-kid 34e06933-30a8-4d31-94c8-226e57a7047d --out ./wrapped_key.txt

The RSA key must be marked exportable. 

The AES wrapping key must be in the same Group as the RSA key.  OR the wrapping key must be accessible by an App that has access to both the RSA and AES keys.

The --mode option is specific to AES, but modes for both RSA and AES are listed in the API guide here.

To find modes that work with AES - try this search.

Two files will be created - one is the wrapped key, the other contains the Initialization Vector (IV) used to wrap the key.  The IV will also be displayed in the output of the sdkms-cli command when successful.