Primus Tools Commands
Usage of this tool requires previous installation of Java Runtime Environment (see Prerequisites).
The primus-tools.jar file contains a set of different Java command line commands for the Primus HSM or CloudHSM as well as other utilities.
The general call structure is as follows:
java -jar primus-tools.jar <ToolName> <HSM connection and credentials> [further tool parameters] [-help]
Commands will require an established <HSM connection and credentials> parameter to be able to execute properly. To prepare your <HSM connection and credentials> parameter, go back to the HSM Connection section.
Commands Overview
The table below gives an overview of current Primus Tools commands.
Options and more information for a specific command can be listed by calling without parameters or with parameter -help, e.g.:
java -jar primus-tools.jar CreateKey <HSM connection and credentials> -help
usage: CreateKey -host <host> [-port <port>] -user <user> [-password <password>]
-keyname <keyname> [-keypassword <keypassword>] -type <type> [-size <size>]
[-curve <curve>] [-flags <flags>] [-access <access>]
The detailed description of the commands is found under Command Details.
Credential Management
Used for credential management for the HSM and the connection to it
| Command | Description |
|---|---|
| GetUserSecret | Get (optionally blinded) permanent user secret |
| GenerateBlindingKeyFile | Generate a blinding key file |
| BlindPassword | Blinding of passwords, setup passwords, user secrets |
| Login | Login test (to check credentials and connectivity) |
HSM Device Information
Used for acquiring HSM device information and logs
| Command | Description |
|---|---|
| GetLog | Get the HSM user log |
| GetDeviceInfo | Get device name, firmware version and used provider version |
Object Management
Commands used for managing HSM objects.
| Command | Description |
|---|---|
| ListKeyStoreObject | List partition objects (type, size, flags, hash) for single aliases |
| ListKeyStoreObjects | List partition objects (type, size, flags, hash) |
| ListKeyEntry | List key information |
| ListKeyFlags | List key flags |
| CreateKey | Create key |
| DeleteKey | Delete key |
| GetKeyFlag | Get a single key flag for a key |
| SetKeyFlag | Set key flag |
| SetKeyId | Set key id |
| RenameKey | Rename a key or change a key password |
| ImportCertificate | Certificate Import |
| ImportPublicKey | Import a public key |
| ImportKeyWrapped | Import a wrapped key |
| GetPublicKey | Export a public key |
| ExportKeyWrapped | Export a wrapped key |
Partition Management
Commands used for managing HSM partitions.
| Command | Description |
|---|---|
| GetKeyStoreStatistics | Get number of objects (type, number) and show used/free size |
| ListKeyStore | List partition information (as visible to JCE API) |
| ClearKeyStore | Clear the partition (delete all objects/keys) |
Smart Key Attributes
Commands used for Smart Key Attribute key management.
| Command | Description |
|---|---|
| CreateAttestationKey | Create attestation key (for signed attestations and timestamps, needs RKS) |
| ListEkaAccess | List smart key (SKA/eka) access information |
| CreateEkaKey | Create smart (EKA/SKA) key |
| CreateIntegrityKey | Create integrity key (for SKA use) |
| GetAttestation | Get key attributes (attested/signed) |
| ModifyEka | Modify smart key (SKA/EKA) attributes |
| SetKeyFlagEka | Set key flag on SKA/EKA key |
| SignEka | Sign test with SKA/EKA |
KeytoolX & JarsignerX
Commands used for subcommands of KeytoolX and JarsignerX.
| Command | Description |
|---|---|
| KeytoolX | Adapter to keytoolX |
| JarsignerX | Adapter to jarsignerX |
Bring Your Own Key
Commands used for different BYOK procedures.
| Command | Description |
|---|---|
| AzureByokExport | Wrap-export RSA, EC, or AES key, for Azure BYOK |
| AwsKmsByokExport | Wrap-export a AES key for AWS KMS BYOK |
|SalesforceByokExport| Wrap-export a AES/HMAC key derivation for Salesforce BYOK (currently in testing)|
Elliptic Curve Integrated Encryption Scheme
Commands used for ECIES procedures.
| Command | Description |
|---|---|
| IesChunkingEncrypt | Elliptic Curve Integrated Encryption Scheme chunking file encryption |
| IesChunkingDecrypt | Elliptic Curve Integrated Encryption Scheme chunking file decryption |
| IesEncrypt | Elliptic Curve Integrated Encryption Scheme file encryption |
| IesDecrypt | Elliptic Curve Integrated Encryption Scheme file decryption |
EMV
Commands used for EMV procedures.
| Command | Description |
|---|---|
| ImportKeySplit | Import of plain key split into 3 parts (EMV) |
| ImportKeyWrappedZmk | Import of key encrypted (wrapped) |
| ExportKeyWrappedZmk | Export of key encrypted (wrapped) |
| ExportKeySplit | Export of plain key split into 3 parts (EMV) |
Signing
Commands used for signing and signature verification.
| Command | Description |
|---|---|
| Sign | Sign test |
| JarSignatureCheck | Check Primus JCE provider (primusX.jar) code signature |