Aws Generate Public Key From Private Key



I have local keys that I want to import to AWS CloudHSM using the unWrapKey command with the key_mgmt_util command line tool. However, I can't import or wrap plaintext keys.

  1. Aws Generate Public Key From Private Keys
  2. Generate Public Key Windows
  3. Get Public Key From Private Key
  4. What Is Public Key

May 01, 2015  This video shows how to use Putty Gen to create a Key Pair, upload Public Key into AWS Cloud, use that Public Key to launch an instance, and use the private key to access the VM instance. If that's what you're describing, then the problem is that keypair #2's public key has never been installed on the EC2 instance. You need the private key on your client, and the matching public key on the server you're connecting to. Once the instance already exists, creating a new keypair in AWS will not update the key on an existing instance. Nov 23, 2016  How to replace public SSH keys on your AWS EC2 instance. However, someone has a private SSH key to your Amazon Web Services (AWS) Elastic. Jul 21, 2018  These are simple steps to get an Access Key ID and Secret Access Key for AWS account which gives you access to your AWS services. Even though you have a. Important: If you are asked to send your SSH Key or Public Key to Media Temple (or anyone else), you will only want to send the PUBLIC key file, which is the file with the “.pub” extension. If you email out the Private Key, it is no longer secure and should be replaced! Never transfer your Private Key off of your computer at any time!

Resolution

Encrypt your payload key with an ephemeral AES key, and encrypt the ephemeral AES with your public key from a key pair. Then, concatenate the encrypted payload key and encrypted ephemeral key into a single file. The concatenated file is sent to your CloudHSM in its encrypted format, and decrypted by the private key from the key pair. The AES_KEY_WRAP mechanism decrypts the ephemeral AES key, and uses it to decrypt your payload key.

Create the following keys:

  • Payload AES or RSA key. This is the key you import and use with your CloudHSM.
  • Temporary AES key required by AES_KEY_WRAP to encrypt the payload. It's a best practice to use AES, because there are no size limits on what can be encrypted.
  • RSA key pair used to securely wrap and unwrap these keys into your CloudHSM.

Before you begin, make sure you have a patched version of OpenSSL to allow envelope wrapping. For instructions, see How can I patch OpenSSL to enable use with the CloudHSM CKM_RSA_AES_KEY_WRAP mechanism?

Create, encrypt, and import the local keys

1. Run these commands to create the payload, ephemeral, and RSA keys.

Tip: Create these keys in their own directory to track your files.

2. Output the raw hex values of the ephemeral AES key into a variable with this command.

Note: Make sure you have the hexdump utility installed or this command returns an error. Refer to your OS documentation on how to install the hexdump utility.

Aws Generate Public Key From Private Keys

3. Use the OpenSSL enc command to wrap the payload with the ephemeral AES key. The -id-aes256-wrap-pad cipher is the RFC 3394 compliant wrapping mechanism that coincides with CKM_RSA_AES_KEY_WRAP. The -iv values are set by RFC 5649 (an extension to RFC 3394).

4. Encrypt the AES key with the public key from the RSA key pair that you created in step 1.

5. From the local machine, concatenate the encrypted payload key and ephemeral AES key into a single file named rsa_aes_wrapped.

6. Import the RSA private key into the CloudHSM from your local machine. Create a persistent AES key in the HSM to manage the import using importPrivateKey.

Note: Replace user-name and user-password with your CloudHSM user name and password.

Note: If you created the RSA key pair on the HSM and exported the public key using exportPubKey, you can skip steps 6-9.

7. You receive an output similar to the following. Note the AES key handle—it's used to import the private RSA key. In this example, the key handle is 7.

8. Import the private key and wrap it into the HSM. The import is secured with the persistent AES key you created in step 6.

Note: Replace option -w 7 with your key handle.

9. You receive an output similar to the following. Note the imported RSA private key handle. In this example, the imported RSA Private Key is 8.

10. Unwrap the concatenated payload key into the HSM using the imported RSA private key with the unWrapKey command. This example uses -w 8 as the key handle of the imported RSA private key.

Note: Replace -w 8 with your private key handle.

Note: you must use -kc 4 -kt 31 to unwrap AES keys and -kc 3 -kt 0 to unwrap RSA private keys. For more information on using the -m, -kc and -kt parameters, see the unWrapKey example.

11. You receive a successful import of the payload AES key similar to the following output:

Generate Public Key Windows

Note: In this example, key handle 10 of the new unwrapped key can be used in the CloudHSM.

Verify that you imported the payload AES key

1. Export the payload AES Key back to disk using the wrapping key -w 7. Replace payload key handle 10 with your own value of your imported payload AES key.

2. Run this command to compare the imported payload key with the payload_aes key.

3. If the HSM.key and payload_aes keys are identical, you receive the following output:

Import the RSA payload

1. If you want to unwrap an RSA private key into the HSM, run these commands to change the payload key to an RSA private key.

2. RSA Keys created in step 1 from the Steps required for Import RSA payload section using OpenSSL are in PKCS #1 format. However, the key_mgmt_util tool assumes that the private key is in PKCS #8 DER format. View the keys in plaintext using your favorite text editor to confirm the format similar to the following:

- PKCS1 format: -----BEGIN RSA PRIVATE KEY----- - PKCS8 format: -----BEGIN PRIVATE KEY-----

Private

3. To convert the payload_rsa.pem key into pkcs8 format and DER encoded, run this command:

4. Follow steps 2-9 from the Create, encrypt, and import the local keys section.

Note: replace payload_aes with payload_rsa_pkcs8.der.

5. Run this command to unwrap the payload RSA private key into the CloudHSM, and take note of the output key handle:

Note: you must use -kc 4 -kt 31 to unwrap AES keys and -kc 3 -kt 0 to unwrap RSA private keys.

You now have the payload RSA key unwrapped into the HSM.

Verify that you imported the payload RSA private key

1. Export the payload RSA private key back to disk using the wrapping key you created earlier. Replace payload key handle 25 with your own value of your imported payload RSA private key.

Get Public Key From Private Key

2. Run this command to convert your payload_rsa key into PKCS #8 format without converting to DER.

3. Run this command to compare the imported payload key with the payload_rsa key.

4. If the HSM_rsa_private.key and payload_rsa_pkcs8.pem keys are identical, you receive the following output:

Related Information

RFC 5649

What Is Public Key

Anything we could improve?

Need more help?