lfonosol
commented
1 month ago This defeats the purpose of using an HSM module.
What would you need the private key in PEM format for?
Closed MrWildanMD closed 2 weeks ago
lfonosol
commented
1 month ago This defeats the purpose of using an HSM module.
What would you need the private key in PEM format for?
lpreimesberger
commented
1 month ago it's 100% possible - but you need to mark the key as exportable on creation in the HSM (or have imported it from elsewhere originally). default is always 'no' like @lfonosol said. there are vendor specific tools to back up and mirror keys on multiple HSM units.
nickrmc83
commented
2 weeks ago I created the below PR for the purpose of exporting keys but it has other uses too. Whilst the PR does not explicitly include key export, it provides a hook to inject custom PKCS11 code to wrap and export keys.
https://github.com/ThalesGroup/crypto11/pull/102
Because not all HSMs are equal in capability (supported algorithms and key types) or configuration, you need to add custom code. You also need to think about whether you're attempting to access the key's plaintext or to export to another secure context via wrapping/encrypting the private key.
MrWildanMD
commented
2 weeks ago okay i managed to export it onto plaintext and its succeed with my custom code. Thanks for answers
it is possible to export the private key to pem object?