Generate, wrap, and export your own key

All procedures in this section should be completed on the offline computer.

  1. Open a Windows CLI as administrator.

  2. Navigate to the folder containing the transferred pem file from the online computer.

  3. Run the following command. Be ready to present the ACS/OCS to the HSM. In the following examples a new key named mykey2azure will be created since this key did not exist. For more info on the cloud_integration_tool below, see CIOP v2.3.0 Install and User Guide.

    >"%NFAST_HOME%\python3\python.exe" -m cloud_integration_tool microsoft-azure <your-key-name> <downloaded-pem> --azure-kek <azure-kid> --key-type <key-type>

    Example 1: Create a module protected key named mykey2azure, and wrap it with the Azure KEK.

    C:\Users\Administrator\Downloads>"%NFAST_HOME%\python3\python.exe" -m cloud_integration_tool microsoft-azure mykey2azure nshieldhsmbyokkeyvault-nShieldHSMBYOKKey-20251203.pem --azure-kek https://nshieldhsmbyokkeyvault.vault.azure.net/keys/nShieldHSMBYOKKey/28ec0aa4fd2240b9a8d331e96a0f1d26 --key-type RSA-2048
Module Protected

FIPS: insert OCS/ACS:
 Module 1: 0 cards read
 Module 1 slot 0: empty
 Module 1 slot 0: blank card
 Module 1 slot 0: empty
Card reading complete.

Provider: microsoft-azure
  Importing key 'nshieldhsmbyokkeyvault-nShieldHSMBYOKKey-20251203.pem'
Generating RSA-2048 key 'mykey2azure'
Exporting
Output json blob to KeyTransferPackage-mykey2azure.byok
Success: wrapped key exported 'KeyTransferPackage-mykey2azure.byok'

    Example 2: Create an OCS protected key named mykey2azure, and wrap it with the Azure KEK. The OCS is named testOCSpn and has a quorum K=2.

    C:\Users\Administrator\Downloads>"%NFAST_HOME%\python3\python.exe" -m cloud_integration_tool microsoft-azure mykey2azure nshieldhsmbyokkeyvault-nShieldHSMBYOKKey-20251203.pem --azure-kek https://nshieldhsmbyokkeyvault.vault.azure.net/keys/nShieldHSMBYOKKey/28ec0aa4fd2240b9a8d331e96a0f1d26 --key-type RSA-2048 -O testOCSpn

Loading `testOCSpn':
 Module 1: 0 cards of 2 read
 Module 1 slot 0: empty
 Module 1 slot 0: `testOCSpn' #3
 Module 1 slot 0:- passphrase supplied - reading card
 Module 1: 1 card of 2 read
 Module 1 slot 0: `testOCSpn' #3: already read
 Module 1 slot 0: empty
 Module 1 slot 0: `testOCSpn' #1
 Module 1 slot 0:- passphrase supplied - reading card
Card reading complete.

Provider: microsoft-azure
  Importing key 'nshieldhsmbyokkeyvault-nShieldHSMBYOKKey-20251203.pem'
Generating RSA-2048 key 'mykey2azure'
Exporting
Output json blob to KeyTransferPackage-mykey2azure.byok
Success: wrapped key exported 'KeyTransferPackage-mykey2azure.byok'

  4. Notice the key protected by the HSM. This is the key from example 1 above.

    >nfkminfo -k simple mykey2azure
Key AppName simple Ident mykey2azure
 BlobKA length         1092
 BlobPubKA length      484
 BlobRecoveryKA length 1480
 name                  ""
 hash                  60b7b07ac99848150073b9417ae68197b7dbada2
 recovery              Enabled
 protection            Module
 other flags           PublicKey !SEEAppKey !NVMemBlob +0x0
 gentime               2025-12-04 17:50:38
 SEE integrity key     NONE
...
No extra entries

  5. Notice the key transfer package created.

    C:\Users\Administrator\Downloads>dir KeyTransferPackage-mykey2azure.byok
 Volume in drive C has no label.
 Volume Serial Number is 84FA-5956

 Directory of C:\Users\Administrator\Downloads

12/04/2025  12:50 PM             2,335 KeyTransferPackage-mykey2azure.byok
               1 File(s)          2,335 bytes
               0 Dir(s)  1,915,139,063,808 bytes free

  6. Transfer the key transfer package using media (e.g. USB thumb drive) to the online computer.