Skip to content

Commit

Permalink
fix incorrect HSM mechanisms (#16081)
Browse files Browse the repository at this point in the history
  • Loading branch information
rculpepper authored Jun 21, 2022
1 parent 70f19e2 commit f9532fe
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions website/content/docs/secrets/transit.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -257,11 +257,11 @@ as described below. In the below, the target key refers to the key being importe
If the key is being imported from an HSM that supports PKCS#11, there are
two possible scenarios:

- If the HSM supports the CKM_AES_KEY_WRAP_KWP mechanism, that can be used to wrap the
- If the HSM supports the CKM_RSA_AES_KEY_WRAP mechanism, that can be used to wrap the
target key using the wrapping key.

- Otherwise, two mechanisms can be combined to wrap the target key. First, an AES key should
be generated and then used to wrap the target key using the CKM_AES_KEY_WRAP_PAD mechanism.
be generated and then used to wrap the target key using the CKM_AES_KEY_WRAP_KWP mechanism.
Then the AES key should be wrapped under the wrapping key using the CKM_RSA_PKCS_OAEP mechanism
using MGF1 and either SHA-1, SHA-224, SHA-256, SHA-384, or SHA-512.

Expand Down

0 comments on commit f9532fe

Please sign in to comment.