Key Attributes for the JCE Provider

The key attributes in this topic can be set during key generation and key importing when using the Dedicated KMS JCE Provider.

Specifying Key Attributes

The following example shows how to specify attributes when using the key generator:

KeyGenerator kg = KeyGenerator.getInstance("AES", "DedicatedKmsProvider");
KeyAttributesMap attributesMap = new KeyAttributesMap();
attributesMap.put(KeyAttribute.SIZE, 256);
attributesMap.put(KeyAttribute.LABEL, UUID.randomUUID().toString());
attributesMap.put(KeyAttribute.EXTRACTABLE, true);
attributesMap.put(KeyAttribute.PERSISTENT, false);
kg.init(attributesMap, null);
SecretKey sk = kg.generateKey();

Key Attributes Reference

Attribute Supported Values Default Value Notes
CRT_COEFFICIENT For use in the RSA Key Factory. Represents the Chinese Remainder Theorem coefficient q-1 mod p as byte array. See PKCS#1 v2.2 for more information
CURVE_TYPE secp224r1 (P-224), secp256r1 (P-256), secp256k1 (Blockchain), secp384r1 (P-384), and secp521r1 (P-521) For use in the EC key pair generator. Used to specify an elliptic curve (EC) for a key pair generator. The EC curve is then used in EC related cryptographic operations.
EC_PARAMS For use in the EC Key Factory. Use EC_PARAMS in an elliptic curve key factory to represent the elliptic curve using ECParameterSpec, with a byte[] representation for serialization.
EC_POINT For use in the EC Key Factory. Use EC_POINT in an elliptic curve key factory to specify a point on a elliptic curve, with a byte[] representation for serialization.
EXTRACTABLE True or False (Boolean) True (symmetric key, asymmetric private key) True indicates you can export this key from the HSM.
ID A user-defined value used to identify the key.
KEY_TYPE AES, DESede, EC, RSA The type of key.
LABEL A user-defined string to identify keys on your HSM. We recommend using a unique label for each key.
MODULUS Represents the modulus n as a byte array. See PKCS#1 v2.2 for more information.
PERSISTENT True or False (Boolean) False Set to TRUE to make a persistent key. Set to FALSE to create an ephemeral key which is automatically erased when the connection to the HSM is broken or logged out.
PRIME_EXPONENT_P For use in the RSA key factory. Represents the d mod (q-1) as a byte array. See PKCS#1 v2.2 for more information.
PRIME_EXPONENT_Q For use in the RSA key factory. Represents the d mod (q-1) as a byte array. See PKCS#1 v2.2 for more information.
PRIME_P For use in the RSA key factory. Represents the prime factor p of n as a byte array. See PKCS#1 v2.2 for more information.
PRIME_Q For use in the RSA key factory. Represents the prime factor q of n as a byte array. See PKCS#1 v2.2 for more information.
PRIVATE_EXPONENT For use in the RSA key factory. Represents the private exponent d as a byte array. See PKCS#1 v2.2 for more information.
PRIVATE_LABEL Specifies a user defined label for the private-key.
PUBLIC_EXPONENT For use in the RSA key factory. Represents the public exponent e as a byte array. See PKCS#1 v2.2 for more information.
PUBLIC_LABEL Specifies a user defined label for the public-key.
SIZE See Key Types and Algorithms for valid key size values. The size of a key.
VALUE For use in the EC key factory or secret key factory. Represents the encoded key as a byte array.