When wrapping a key using p11wrap, the attribute CKA_EXTRACTABLE is set to true, since that key must have this attribute set to be wrapped. There is however no reason to maintain this attribute to true; moreover, this creates a potential security issue since, without modifying the unwrap template manually, the recovered key will also feature this attribute, making it vulnerable to extraction.
It is recommended to set this attribute to false, irrespective of its value fetched from the wrapped key.
When wrapping a key using
p11wrap
, the attributeCKA_EXTRACTABLE
is set totrue
, since that key must have this attribute set to be wrapped. There is however no reason to maintain this attribute totrue
; moreover, this creates a potential security issue since, without modifying the unwrap template manually, the recovered key will also feature this attribute, making it vulnerable to extraction.It is recommended to set this attribute to
false
, irrespective of its value fetched from the wrapped key.