Back Up and Restore Using YubiHSM Shell

Back Up

Make sure you have a Wrap Key with the following capabilities set:

  • export-wrapped
  • import-wrapped
  • applicable Delegated Capabilities
$ yubihsm-shell -a get-pseudo-random --count=32 --out=wrap.key
yubihsm-shell -a put-wrap-key -c export-wrapped,import-wrapped --delegated=sign-pkcs,decrypt-pkcs,exportable-under-wrap --in=wrap.key
Stored Wrap key 0xd581

Any Object in the same Domain and with the Capability exportable-under-wrap and Capabilities matching the Wrap Key’s Delegated Capabilities can be exported, provided that this Wrap Key is present:

$ yubihsm-shell -a generate-asymmetric-key -A rsa2048 -c exportable-under-wrap,sign-pkcs,decrypt-pkcs
Generated Asymmetric key 0x6e77
yubihsm-shell -a get-wrapped --wrap-id=0xd581 --object-id=0x6e77 -t asymmetric-key --out=key_6e77.yhw

You now have an encrypted backup of the Asymmetric Key 0x6e77 in the file key_6e77.yhw.


The file wrap.key here contains the Wrap Key loaded into your YubiHSM in clear text. It should therefore be considered sensitive.


This assumes a fresh device where you want to restore the previously backed up key 0x6e77

$ yubihsm-shell -a put-wrap-key -A aes256-ccm-wrap -c export-wrapped,import-wrapped --delegated=sign-pkcs,decrypt-pkcs,exportable-under-wrap --in=wrap.key -i 0xd581
Stored Wrap key 0xd581
yubihsm-shell -a put-wrapped --wrap-id=0xd581 --in=key_6e77.yhw
Object imported as 0x6e77 of type asymmetric-key