Back Up and Restore Using YubiHSM Shell
Back Up
Make sure you have a Wrap Key with the following capabilities set:
export-wrapped
import-wrapped
- applicable Delegated Capabilities
$ yubihsm-shell -a get-pseudo-random --count=32 --out=wrap.key
...
yubihsm-shell -a put-wrap-key -c export-wrapped,import-wrapped --delegated=sign-pkcs,decrypt-pkcs,exportable-under-wrap --in=wrap.key
...
Stored Wrap key 0xd581
Any Object in the same Domain and with the Capability exportable-under-wrap
and Capabilities matching the Wrap Key’s Delegated Capabilities can be exported, provided that this Wrap Key is present:
$ yubihsm-shell -a generate-asymmetric-key -A rsa2048 -c exportable-under-wrap,sign-pkcs,decrypt-pkcs
...
Generated Asymmetric key 0x6e77
yubihsm-shell -a get-wrapped --wrap-id=0xd581 --object-id=0x6e77 -t asymmetric-key --out=key_6e77.yhw
...
You now have an encrypted backup of the Asymmetric Key 0x6e77
in the file key_6e77.yhw
.
Important
The file wrap.key
here contains the Wrap Key loaded into your YubiHSM in clear text. It should therefore be considered sensitive.
Restore
This assumes a fresh device where you want to restore the previously backed up key 0x6e77
$ yubihsm-shell -a put-wrap-key -A aes256-ccm-wrap -c export-wrapped,import-wrapped --delegated=sign-pkcs,decrypt-pkcs,exportable-under-wrap --in=wrap.key -i 0xd581
...
Stored Wrap key 0xd581
yubihsm-shell -a put-wrapped --wrap-id=0xd581 --in=key_6e77.yhw
...
Object imported as 0x6e77 of type asymmetric-key