# Extract an AWS CloudHSM key using KMU extractMaskedObject Use the **extractMaskedObject** command in the AWS CloudHSM key\$1mgmt\$1util to extract a key from a hardware security module (HSM) and saves it to a file as a masked object. Masked objects are *cloned* objects that can only be used after inserting them back into the original cluster by using the **[insertMaskedObject](key_mgmt_util-insertMaskedObject.md)** command. You can only insert a masked object into the same cluster from which it was generated, or a clone of that cluster. This includes any cloned versions of the cluster generated by [copying a backup across regions](copy-backup-to-region.md) and [using that backup to create a new cluster](create-cluster-from-backup.md). Masked objects are an efficient way to offload and synchronize keys, including nonextractable keys (that is, keys that have a [`OBJ_ATTR_EXTRACTABLE`](key-attribute-table.md) value of `0`). This way, keys can be securely synced across related clusters in different regions without the need to update the AWS CloudHSM [configure file](configure-tool.md). **Important** Upon insertion, masked objects are decrypted and given a key handle that is different from the key handle of the original key. A masked object includes all metadata associated with the original key, including attributes, ownership and sharing information, and quorum settings. If you need to sync keys across clusters in an application, use [syncKey](cloudhsm_mgmt_util-syncKey.md) in the cloudhsm\$1mgmt\$1util instead. Before you run any key\$1mgmt\$1util command, you must [start key\$1mgmt\$1util](key_mgmt_util-setup.md#key_mgmt_util-start) and [log in](key_mgmt_util-log-in.md) to the HSM. The **extractMaskedObject** command can be used either by the CU who owns the key or any CO. ## Syntax ``` extractMaskedObject -h extractMaskedObject -o -out ``` ## Examples This example shows how to use **extractMaskedObject** to extract a key from an HSM as a masked object. **Example : Extract a masked object** This command extracts a masked object out of an HSM from a key with handle `524295` and saves it as a file called `maskedObj`. When the command succeeds, **extractMaskedObject** returns a success message. ``` Command: extractMaskedObject -o 524295 -out maskedObj Object was masked and written to file "maskedObj" Cfm3ExtractMaskedObject returned: 0x00 : HSM Return: SUCCESS ``` ## Parameters This command takes the following parameters. **`-h`** Displays command line help for the command. Required: Yes **`-o`** Specifies the handle of the key to extract as a masked object. Required: Yes **`-out`** Specifies the name of the file to which the masked object will be saved. Required: Yes ## Related topics + [insertMaskedObject](key_mgmt_util-insertMaskedObject.md) + [syncKey](cloudhsm_mgmt_util-syncKey.md) + [Copying a Backup Across Regions](copy-backup-to-region.md) + [Creating an AWS CloudHSM Cluster from a Previous Backup](create-cluster-from-backup.md)