Closed MrWildanMD closed 2 weeks ago
This defeats the purpose of using an HSM module.
What would you need the private key in PEM format for?
it's 100% possible - but you need to mark the key as exportable on creation in the HSM (or have imported it from elsewhere originally). default is always 'no' like @lfonosol said. there are vendor specific tools to back up and mirror keys on multiple HSM units.
I created the below PR for the purpose of exporting keys but it has other uses too. Whilst the PR does not explicitly include key export, it provides a hook to inject custom PKCS11 code to wrap and export keys.
https://github.com/ThalesGroup/crypto11/pull/102
Because not all HSMs are equal in capability (supported algorithms and key types) or configuration, you need to add custom code. You also need to think about whether you're attempting to access the key's plaintext or to export to another secure context via wrapping/encrypting the private key.
okay i managed to export it onto plaintext and its succeed with my custom code. Thanks for answers
it is possible to export the private key to pem object?