.. hsm2-quick-start.rst .. _hsm2-quick-start-label: ===================== Getting Started ===================== The purpose of this tutorial is to demonstrate basic functionalities of different key types: Authentication Key, Asymmetric Key and Wrap Key. We start with a fresh YubiHSM 2 configuration and we proceed in generating a new Authentication Key. Then we generate an Asymmetric Key for signing purposes. We sign an arbitrary amount of data and verify that our signature is correct. Part of this documentation is to demonstrate how to backup a key on a second YubiHSM 2. We do so by wrapping the Asymmetric Key and re-importing it into the same device. This tutorial covers: * :ref:`hsm2-start-setup-label` * :ref:`hsm2-connect-yubihsm-label` * :ref:`hsm2-initial-provision-deploy-guide-label` * :ref:`hsm2-new-authentication-key-label` * :ref:`hsm2-generate-key-signing-label` * :ref:`hsm2-export-asymmetric-key-wrap-label` * :ref:`hsm2-key-split-custodians-guide-label` * :ref:`hsm2-backup-restore-label` * Backing up and Restoring YubiHSM 2 Keys * Backing up and Restoring Key Material Before proceeding with this document you should be familiar with concepts such as: ``Sessions``, ``Domains``, ``Capabilities`` described in :ref:`hsm2-core-concepts-label`. .. Note:: The following code samples have arbitrary line-breaks to prevent them from running off the page. .. _hsm2-start-setup-label: Setting Up the YubiHSM 2 Environment ===================================== 1. Get the latest binaries from SDK download `YubiHSM2/Releases `_. 2. Install all libraries. 3. Make sure your device is accessible by the connector. This is accomplished either by running the connector as a superuser or by using an appropriate `udev_rule `_. .. _hsm2-install-tools-software-label: Installing the YubiHSM 2 Tools and Software -------------------------------------------- To complete the procedures in this guide, install the YubiHSM 2 tools and software that will be needed for this. .. Tip:: A generic prompt, ``$``, is used in command line examples in this document. Depending on your command line application, your prompt may be different. The following YubiHSM items of software are used in this guide. They are included as part of the archive file you downloaded. 1. Unzip the downloaded `archives of the SDK `_ containing the YubiHSM libraries and tools and move the contents to an appropriate location. 2. Complete the step for your operating system. * On your **Windows** system, run both installers: * ``yubihsm-cngprovider-windows-amd64.msi`` (YubiHSM Key Storage Provider) * ``yubihsm-connector-windows-amd64.msi`` (YubiHSM Connector for Windows) * On a **Debian**-based system, run the following command: ``$ dpkg -i ./libykhsmauth1_*.deb ./libyubihsm-usb1_*.deb ./libyubihsm-http1_*.deb ./libyubihsm1_*.deb ./yubihsm-shell_*.deb`` * On a **Redhat**-based system, run the following command: ``$ yum install ./yubihsm-shell-*.rpm`` 3. (**Windows** system) Set the ADCS service dependency for the YubiHSM Connector service via an elevated/admin Windows Command Prompt. This prevents an error which occurs if the ADCS services start before the YubiHSM connector is running. a. List the current dependencies with ``sc qc “certsvc”`` .. code-block:: bash > sc qc “certsvc” [SC] QueryServiceConfig SUCCESS SERVICE_NAME: certsvc TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Windows\system32\certsrv.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Active Directory Certificate Services DEPENDENCIES : SERVICE_START_NAME : localSystem b. Add the YubiHSM Connector dependency to ADCS with the command: ``sc config "certsvc" depend="yhconsrv"`` .. code-block:: bash > sc config "certsvc" depend="yhconsrv" [SC] ChangeServiceConfig SUCCESS After the command is entered, the dependency can be verified with ``sc qc “certsvc”`` .. code-block:: bash [SC] QueryServiceConfig SUCCESS SERVICE_NAME: certsvc TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Windows\system32\certsrv.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Active Directory Certificate Services DEPENDENCIES : yhconsrv SERVICE_START_NAME : localSystem To remove dependencies for ACDS, use the same command for adding dependencies with a blank depend field: ``sc config "certsvc" depend=""`` .. _hsm2-verify-tools-software-install-label: Verifying the Default Configuration of the YubiHSM 2 ----------------------------------------------------- Verify the results of the YubiHSM Setup program using the YubiHSM Shell program. Log in using the application authentication key. The YubiHSM 2 device comes with a single factory-installed authentication key whose default password is ``password``. As part of the configuration in this guide, this default authentication key will be destroyed. If the YubiHSM 2 is reset to its default configuration, any non factory-installed objects stored on it are also destroyed. Reset instructions can be found in :ref:`hsm2-reset-to-factory-label`. We reiterate that you will need two YubiHSM 2 devices to complete all steps of this guide, because you will be deploying the first device and creating a backup of all key material on the second device. These steps also verify that neither of the YubiHSM 2 devices have been tampered with. To verify that YubiHSM 2 devices still have the default configuration by following the steps below: 1. Verify the YubiHSM 2 setup, in your Command Prompt, run the following command: .. code-block:: bash $ yubihsm-shell Do one of the following: * If the application that calls the YubiHSM Connector is **running on a local host**, start the Connector with the command ``yubihsm-connector`` without additional parameters. In Windows Server 2012 SP2 or higher, ``yubihsm-connector.exe`` is located in ``C:\Program Files\YubiHSM Connector\``. * If the application is **running on a VM or a different server**, start the YubiHSM Connector on the host operating system in networking mode. For example, if the host machine's IP address is ``192.168.100.252``, launch the Connector on the host OS with the command ``yubihsm-connector -l 192.168.100.252:12345`` .. Tip:: For testing or debugging the YubiHSM Connector, the flag ``-d`` can be set. 2. To gain shell access to the YubiHSM 2, launch the YubiHSM Shell program: a. Open a Command Prompt. b. Run the command ``yubihsm-shell``. c. If a networked Connector is used, set the parameter ``--connect ``. If the YubiHSM Connector is running on a host machine to which the YubiHSM 2 is physically connected, start the YubiHSM Shell program in networked mode. .. code-block:: bash $ yubihsm-shell --connector http://192.168.100.252:12345 where -- The host server's IP address is 192.168.100.252 .. Tip:: For testing or debugging the YubiHSM Shell, the flag ``-d`` can be set. 3. To connect to the YubiHSM 2, at the ``yubihsm`` command line, type ``connect``. A message saying that you have a successful connection is displayed. 4. To open a session with the YubiHSM 2, type ``session open 1`` (where ``1`` is the ID of the default authentication key pre-installed on the device). 5. Type in the default password: ``password``. A message confirming that the session has been set up successfully is displayed. 6. You now have an administrative connection to the YubiHSM 2 and you can list the objects available by typing ``list objects 0`` and pressing **Enter**. Your results should be similar to the following: .. code-block:: bash Found 3 object(s) id: 0x0002, type: wrap-key, sequence: 0 id: 0x0003, type: authentication-key, sequence: 0 id: 0x0004, type: authentication-key, sequence: 0 As you can see by looking at their IDs, these objects correspond to the wrap key, the application authentication key and the audit key that were just created. 7. To obtain more information about any of the objects and its capabilities — for example, the application authentication key (object ID 3) — run the ``objectinfo`` command with the appropriate ID format, for example: .. code-block:: bash yubihsm> get objectinfo 0 3 authentication-key The response you receive should look similar to the following: .. code-block:: bash id: 0x0003, type: authentication-key, algorithm: aes128-yubico-authentication, label: "Application auth key", length: 40, domains: 1, sequence: 0, origin: imported, capabilities: exportable-under-wrap:generate-asymmetric-key: sign-attestation-certificate:sign-pkcs:sign-pss:sign-ecdsa, delegated_capabilities:exportable-under-wrap: generate-asymmetric-key:sign-attestation-certificate:sign-pkcs: sign-pss:sign-ecdsa 8. Review the responses to confirm that YubiHSM 2 has now been configured to: * Generate asymmetric objects * Compute signatures using RSA-PKCS1v1.5 * Compute signatures using RSA-PSS * Export other objects under wrap * Import wrapped objects * Mark an object as exportable under wrap In addition, this object (the application authentication key, object ID 3) also has delegated capabilities that can be bestowed on other objects that it creates. For more information on delegated capabilities, see :ref:`hsm2-concepts-capability-label`. 9. To exit, type ``quit``. .. _hsm2-connect-yubihsm-label: Connecting to the YubiHSM 2 =========================== .. _hsm2-start-label: Starting the Connector ----------------------- To physically reset the YubiHSM 2 insert the device while holding the touch sensor for 10 seconds. The following steps use the yubihsm-connector. Connection can also be made using the direct USB mode which is explained later in this document. 1. Start the connector. .. code-block:: bash $ yubihsm-connector -d where -- ``-d`` runs the connector in debug mode which may slow down the connector. It is not required for normal mode of operations. 2. Check the status of your connector and device by using a browser to visit http://127.0.0.1:12345/connector/status. .. _hsm2-start-connection-label: Setting Up YubiHSM 2 Connection -------------------------------- Connecting to the YubiHSM 2 device that is typically installed physically inside a system. The YubiHSM key is a USB-A device. To connect to the YubiHSM 2 and perform tasks: Preparation steps: #. Use one of the following to establish a physical connection. * Network USB server. * Virtual machines. * USB over IP appliances. #. Compile the connector. See the `README `_ doc for the YubiHSM Connector. Connection steps: #. Start yubihsm-shell. .. code-block:: bash $ yubihsm-shell #. Connect to YubiHSM 2. .. code-block:: bash $ yubihsm> connect .. _hsm2-concepts-session-label: Connecting through Sessions with Applications ----------------------------------------------- Many commands require a Session ID to be specified. To obtain a Session ID use the ``session open`` command followed by an Authentication Key ID and a derivation password. By default the YubiHSM 2 comes with a pre-installed Authentication Key with Object ID ``1`` and derivation password ``password``. A Session is not a property of a specific Object, but rather it is used to describe a logical connection between an application and a device. Sessions are end-to-end encrypted and authenticated using Session Keys. These keys are derived from long-lived, pre-shared Authentication Key Objects as part of the sessions authentication process. The Session creation and authentication protocol is based on Global Platform SCP03. On a single YubiHSM 2 it is possible to establish up to ``16`` independent and concurrent Sessions. Note that while multiple concurrent Sessions can be active at a given time, the device still serves as a rendezvous point. This means that time-consuming operations such as generating a long RSA key will block commands in other Sessions. Sessions are addressed with a number in the range ``[0-15]``. Sessions have an expiration period of 30 seconds of inactivity in order to prevent resource starvation. After 30 seconds, the device will consider a Session inactive and will move it to the pool of re-usable Sessions. Whenever a command is executed on a given Session, the inactivity timer is reset, meaning that if a Session is being constantly used, it will not expire. Some of the operations that can be performed on a YubiHSM 2 do **not** require a Session. The implication is that the command and its response will travel unencrypted to and from the device. These commands are only generic status commands, making Sessions required for any meaningful operation. The long-lived keys required to derive Sessions can be explicitly used in the relevant commands. However, there are built-in functionalities to derive those keys from a password using ``10,000`` iterations of ``PBKDF2`` with the salt ``Yubico``, making the process more human-friendly. **Every new or factory-reset YubiHSM 2 has a default Authentication Key with ID 1 and all Capabilities and all Domains set.** This is equivalent to a superuser or an administrator. The long-lived keys for this Object are derived using the process previously described with the password password. .. WARNING:: It is crucial to delete this well-known Authentication Key before deployment. Open Session ~~~~~~~~~~~~~ To open a Session with this Authentication Key use: .. code-block:: bash yubihsm> session open 1 password Created session 0 The Session ID is the number found in the line directly below a ``session open`` command. where -- ``0`` Is the Session ID. This value is used to address the newly created Session. ``1`` is the object ID of the pre-installed Authentication Key. ``password`` is the password of the pre-installed Authentication Key. Close Session ~~~~~~~~~~~~~~ To close a Session use the command ``session close`` followed by the Session ID: .. code-block:: bash yubihsm> session close 0 where -- ``0`` Is the Session ID. List Session ~~~~~~~~~~~~~ To list the objects in the device use: .. code-block:: bash yubihsm> list objects 0 where-- ``0`` Is the Session ID. .. Note:: If you have closed Session ``0``, the above command will not work. In that situation, open a new Session and use the new Session ID in the command above. .. _hsm2-initial-provision-deploy-guide-label: Initial Provisioning and Deployment for HMAC, PKCS11, or RSA ============================================================== This topic covers operations pertaining to the initial provisioning and deployment of YubiHSM 2 devices. Familiarity with the device, its features and capabilities is assumed. .. Important:: The YubiHSM 2 ships with a default Authentication Key with a well-known password. It is imperative that it is removed (single use case) or changed prior to production deployment. See also: * :ref:`hsm2-new-authentication-key-label` * :ref:`hsm2-generate-key-signing-label` * :ref:`hsm2-export-asymmetric-key-wrap-label` Known Usage Cases ------------------ When only a single application needs to be provisioned, Yubico recommends that all Authentication Keys and material be provisioned only with Capabilities specific to that use case. .. Note:: This type of deployment requires devices to be physically reset and re-provisioned (single use case) or changed should a new use case arise. HMAC ----- 1. Establish a session with the default Authentication Key. .. code-block:: bash yubihsm> connect Session keepalive set up to run every 15 seconds yubihsm> session open 1 password Created session 0 2. Create an Authentication Key for Auditing. .. code-block:: bash yubihsm> put authkey 0 0 "Audit auth key" all get-log-entries none $AUDIT_PASS Stored Authentication key 0xd054 3. Create a Wrap Key for importing application Authentication Keys and secrets. .. code-block:: bash yubihsm> get random 0 16 5b61e89468cc8f2a274715c78c3d4753 yubihsm> put wrapkey 0 0 "HMAC wrap Key" all import-wrapped sign-hmac:verify-hmac 5b61e89468cc8f2a274715c78c3d4753 Stored Wrap key 0xf09a 4. Create an Authentication Key for use with the above Wrap Key. .. code-block:: bash yubihsm> put authkey 0 0 "Provisioning HMAC wrap auth key" all import-wrapped none $WRAP_PASS Stored Authentication key 0xf10f 5. Delete the default Authentication Key. .. code-block:: bash yubihsm> delete 0 1 authentication-key 6. Create a wrapped Authentication Key and HMAC Key for the application. .. code-block:: bash echo -ne '\x5b\x61\xe8\x94\x68\xcc\x8f\x2a\x27\x47\x15\xc7\x8c\x3d\x47\x53' > wrap.key echo $HMAC_PASS | yubihsm-wrap -a aes128-yubico-authentication -c sign-hmac,verify-hmac -d 1 -l "HMAC auth key" -k wrap.key --in --out auth.out -e none echo -ne '\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b' > hmac.key yubihsm-wrap -a hmac-sha256 -c sign-hmac,verify-hmac -d 1 -l "HMAC key" -k wrap.key --in hmac.key --out hmac.out 7. Open a Session with the wrap Authentication Key. .. code-block:: bash yubihsm> session open 0xf10f $WRAP_PASS Created session 1 8. Import the two wrapped keys in the new Session. .. code-block:: bash yubihsm> put wrapped 1 0xf09a auth.out Object imported as 0x2a74 of type authentication-key yubihsm> put wrapped 1 0xf09a hmac.out Object imported as 0xd1a2 of type hmac-key 9. Open a session with the new application Authentication Key. .. code-block:: bash yubihsm> session open 0x2a74 $HMAC_PASS Created session 2 10. Run HMAC-SHA256 Test vector #1 and get expected output. .. code-block:: bash yubihsm> hmac 2 0xd1a2b0344c61d8db38535ca8afceaf0bf12b881dc200c9833da726e9376c2e32cff7 echo -ne '\x48\x69\x20\x54\x68\x65\x72\x65' | openssl dgst -hex -mac hmac -macopt hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b -sha256 (stdin)= b0344c61d8db38535ca8afceaf0bf12b881dc200c9833da726e9376c2e32cff7 PKCS11 / RSA ------------- This example assumes that only RSA operations will be performed and that RSA keys will be generated on device over PKCS#11. For using the :ref:`hsm2-pkcs11-guide-label` a ``yubihsm\_pkcs11.conf`` file needs to exist and point at the desired connector. 1. Establish a Session with the default Authentication Key. .. code-block:: bash yubihsm> connect Session keepalive set up to run every 15 seconds yubihsm> session open 1 password Created session 0 2. Create an Authentication Key for Auditing. .. code-block:: bash yubihsm> put authkey 0 0 "Audit auth key" all audit none $AUDIT_PASS Stored Authentication key 0xd054 3. Optionally enable forced audits. .. code-block:: bash yubihsm> put option 0 force-audit 01 4. Create an Authentication Key for usage with the PKCS11 module. .. code-block:: bash yubihsm> put authkey 0 0 "PKCS11 RSA" 1 delete-asymmetric-key: generate-asymmetric-key:sign-pkcs:sign-pss sign-pkcs:sign-pss $PKCS11_PASS Stored Authentication key 0xf10f 5. Delete the default Authentication Key. .. code-block:: bash yubihsm> delete 0 1 authentication-key 6. Use pkcs11-tool to generate an RSA key. .. code-block:: bash pkcs11-tool --module /path/to/yubihsm_pkcs11.so -l --pin f10f${PKCS11_PASS} -k --key-type rsa:2048 --usage-sign --label "RSA key" Using slot 0 with a present token (0x0) Key pair generated: Private Key Object; RSA label: RSA key ID: e77d Usage: sign Public Key Object; RSA 2048 bits label: RSA key ID: e77d Usage: none .. _hsm2-new-authentication-key-label: Adding a New Authentication Key ==================================== Before moving on, make sure you are familiar with concepts of :ref:`hsm2-concepts-capability-label` and :ref:`hsm2-concepts-domain-label` 1. For our example we are going to generate an Authentication Key with selected Capabilities and Domains. Learn more about existing key Types at :ref:`hsm2-concepts-objects-label`. .. code-block:: bash yubihsm> put authkey 0 2 yubico 1,2,3 generate-asymmetric-key,export-wrapped,get-pseudo-random,put-wrap-key,import-wrapped,delete-asymmetric-key,sign-ecdsa sign-ecdsa,exportable-under-wrap,export-wrapped,import-wrapped password where -- ``put authkey`` is the command to create a new authentication key. ``0`` is the session ID. ``2`` is the ObjectID of the new authentication key. ``yubico`` is the label of the new authentication key. ``1,2,3`` is the domain where the new authentication key will operate within. ``generate-asymmetric-key, export-wrapped,get-pseudo-random,put-wrap-key,import-wrapped,delete-asymmetric-key,sign-ecdsa`` are the capabilities for the new authentication key. ``sign-ecdsa,exportable-under-wrap,export-wrapped,import-wrapped`` the delegated capabilities for the new authentication key. ``password`` is the password used to derive the new authentication key. This is the password you specify when opening a session with the YubiHSM using this authentication key. .. Important:: ``export-wrapped`` allows the creation of Objects that can perform the :ref:`hsm2-cmd-export-wrapped-label` command. ``exportable-under-wrap`` allows the creation of Objects that can be exported under wrap. .. Note:: The command above has two distinct sets of Capabilities, separated by a space. This is because Authentication Keys, in addition to having regular Capabilities, also have :ref:`hsm2-concepts-capability-label`. 2. List all Objects to see the newly created Authentication Key. .. code-block:: bash yubihsm> list objects 0 where -- ``0`` the Session ID used for the open session. 3. Next, let's start using our newly created Authentication Key to establish an encrypted Session. .. code-block:: bash yubihsm> session open 2 password Created session 1 where -- ``1`` is the Session ID assigned to the new Session. We will use this Session ID for most of the commands below. If at any time the Session is closed or expires because of inactivity, open a new one and use the correct Session ID. ``2`` is the ObjectID of the authentication key used to open the session. ``password`` is the password of the authentication key used to open the session. .. _hsm2-generate-key-signing-label: Generating an Asymmetric Key Object for Signing ================================================ We now proceed to generate a new Asymmetric Key. In our example we will use this key to sign some data. We will also export the key *under wrap* to another YubiHSM, for backup purposes. Specifically, we will ask the device to generate an Asymmetric Key with ID ``100`` and a given set of Domains and Capabilities. We will also specify the kind of Asymmetric Key that we would like to generate, an EC key using the NIST P-256 curve in this case. The command is: .. code-block:: bash yubihsm> generate asymmetric 1 100 label_ecdsa_sign 1,2,3 exportable-under-wrap,sign-ecdsa ecp256 where -- ``generate`` is YubiHSM shell command. ``asymmetric`` is the key type to be generated. ``1`` is the session ID. ``100`` is the key ID. ``label_ecdsa_sign`` is the label for the new key object. ``1,2,3`` are the domains where the new key will be accessible. ``exportable-under-wrap`` allows this key to be exported under wrap. ``sign-ecdsa`` is allows this key to be used to perform ECDSA signature. ``ecp256`` specifies NIST P-256 curve for the key. On success, we will see the message: .. code-block:: bash Generated Asymmetric key 0x0064 This signifies that an Asymmetric Key with ID ``0x0064`` (hexadecimal for 100) was generated. .. _hsm2-prepare-sign-asymmetric-key-label: Preparing to Sign With the New Asymmetric Key ---------------------------------------------- 1. Assuming we have a file called ``data.txt`` containing the data we would like to sign, we will sign it using ECDSA with the Asymmetric Key we generated in the previous step. .. code-block:: bash yubihsm> sign ecdsa 1 100 ecdsa-sha256 data.txt where -- ``1`` is the Session ID. ``100`` is the key ID. By default the output is printed to the standard output and consists of a Base64-encoded signature like the one below. .. code-block:: bash MEUCIQDrBqS04LN5YdyWGiD4iaEjfl1dn+W4cl97uMMXDpoaiQIgEBe/G/FgP4cumnO3K2XWToAnPvnuVDOnqHPiuUS0q5g= 2. This behavior can be changed by using the ``set outformat`` and ``set informat`` commands, and by specifying an additional output parameter to the ``sign`` command. For now we will store the signature as it is in a temporary file so that we will be able to verify it later. .. code-block:: bash $ echo MEUCIQDrBqS04LN5YdyWGiD4iaEjfl1dn+W4cl97uMMXDpoaiQIgEBe/G/FgP4cumnO3K2XWToAnPvnuVDOnqHPiuUS0q5g= >signature.b64 3. Next, we will extract the public key from the Asymmetric Key on the device and write it to the file ``asymmetric_key.pub``, so that we can use it to verify the signature we just created. .. code-block:: bash yubihsm> get pubkey 1 100 asymmetric_key.pub 4. We are going to use OpenSSL for the verification process. Since the signature that we created before is in Base64 format, we need to convert it first. Do so with: .. code-block:: bash $ base64 -d signature.b64 >signature.bin 5. It is now possible to verify the signature with OpenSSL. .. code-block:: bash $ openssl dgst -sha256 -signature signature.bin -verify asymmetric_key.pub data.txt Verified OK .. _hsm2-export-asymmetric-key-wrap-label: Exporting Asymmetric Key Under Wrap ===================================== Time to export the Asymmetric Key under wrap to a second YubiHSM 2 (in this example, we will export to the same YubiHSM for convenience). 1. To do that we need a Wrap Key, which fundamentally is an AES key. We use the random number generator built into the YubiHSM to generate the 16 bytes needed for an AES-128 key. .. code-block:: bash yubihsm> get random 1 16 9207653411df91fd36c12faa6886d5c4 .. Important:: The result of this command (the bytes) is considered extremely sensitive data and should be stored safely, and preferably, separate from any production environment. 2. We can now store the Wrap Key on the device with ID 200 by doing: .. code-block:: bash yubihsm> put wrapkey 1 200 label_wrapkey 1,2,3 import-wrapped,export-wrapped sign-ecdsa, exportable-under-wrap 9207653411df91fd36c12faa6886d5c4 .. Note:: For the upcoming ``export`` command to be successful, the Delegated Capabilities of the Wrap Key have to include the Capabilities of the Object being exported. Similarly, for the ``import`` command to succeed the Delegated Capabilities of the Wrap Key have to include the Capabilities of the Object being imported. 3. We can now export the Asymmetric Key with ID ``100`` using the Wrap Key with ID ``200`` and save it to a file called ``wrapped_asymmetric.key``. .. code-block:: bash yubihsm> get wrapped 1 200 asymmetric-key 100 wrapped_asymmetric.key 4. We are going to re-import the Asymmetric Key on the same device so we need to first delete the existing one. .. code-block:: bash yubihsm> delete 1 100 asymmetric-key 5. To import the wrapped EC key back into the YubiHSM use: .. code-block:: bash yubihsm> put wrapped 1 200 wrapped_asymmetric.key