Wrap your customer-supplied key

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Wrap the symmetric key to use for encryption with the downloaded public key.

    Before you begin

    Note:
    This procedure describes options that are available with KMF base system and options to be used with Field Encryption Enterprise functionality. Field Encryption Enterprise functionality is available only when the com.glide.now.platform.encryption plugin is active. See Activate Field Encryption for more information on obtaining Field Encryption Enterprise.

    The examples in this task use the OpenSSL tool. For more information on this tool see https://www.openssl.org. If you are using other cryptographic tools, such as LibreSSL or GnuTLS, refer to the documentation for those products for similar steps.

    • Modify optional properties that control the size, padding algorithm, and validity period of the key. See Configure properties for customer-supplied keys.

    • You must have your symmetric key (.BIN) for encryption.

      Important:
      Your key must be in binary format. If another format is used, a Token failed validation. Please reattach the unmodified token.error message displays.

    Role required: security_admin  and sn_kmf.cryptographic_manager  or sn_kmf.admin

    Procedure

    1. From a command line, use your copied token_publickey file name to open the folder of the unzipped files as a placeholder for the wrapped key.
    2. Edit this script by replacing the examples with the names of your crypto files. 
      "downloads user.name$ cd token_publickey_<token>
openssl pkeyutl -encrypt -pubin -inkey publickey_<keyname>.PEM
-in <keyname.bin>
-out wrapped_key_material -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha<128 or 256> "

      Review the key wrapping commands in the following table for more information.

      Table 1. Key wrapping commands
      Directions Command Example
      Open the file directory where you downloaded the wrapping token. 
      cd
      		 cd token_publickey123456789
      Paste the name of the publickey.PEM certificate. 
      openssl pkeyutl -encrypt -pubin -inkey
      		 publickey_586798643ffff.PEM
      Paste the name of your key here. 
      -in
      		 mykey.bin
      Enter the <-out> command and specify if the key is 128 bit or 256 bit. 
      -out wrapped_key_material -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
      		 N/A
    3. Run the command.
      A system message displays token_publickey_<keynumber>. The key will be generated and a wrapped_key_material file added to the directory.
    4. Upload the wrapped key.

    What to do next

    Return to Configure and upload your customer supplied key to upload your wrapped key.