How to use trusted keys to wrap data keys in AWS CloudHSM
To use a trusted key to wrap a data key in AWS CloudHSM, you must complete three basic steps:
- For the data key you plan to wrap with a trusted key, set its - CKA_WRAP_WITH_TRUSTEDattribute to true.
- For the trusted key you plan to wrap the data key with, set its - CKA_TRUSTEDattribute to true.
- Use the trusted key to wrap the data key. 
Step 1: Set the data key's CKA_WRAP_WITH_TRUSTED to true
      For the data key you want to wrap, choose one of the following options to set the key’s CKA_WRAP_WITH_TRUSTED 
        attribute to true. Doing this restricts the data key so applications can only use trusted keys to wrap it.
Option 1: If generating a new key, set CKA_WRAP_WITH_TRUSTED to true
        Generate a key using PKCS #11, JCE, or CloudHSM CLI. See the following examples for more details.
Option 2: If using an existing key, use CloudHSM CLI to set its CKA_WRAP_WITH_TRUSTED to true
        To set an existing key's CKA_WRAP_WITH_TRUSTED attribute to true, follow these steps:
- Use the Log in to an HSM using CloudHSM CLI command to log in as a crypto user (CU). 
- Use the Set the attributes of keys with CloudHSM CLI command to set the key's - wrap-with-trustedattribute to true.- aws-cloudhsm >- key set-attribute --filter attr.label=test_key --name wrap-with-trusted --value true- { "error_code": 0, "data": { "message": "Attribute set successfully" } }
Step 2: Set the trusted key's CKA_TRUSTED to true
      To make a key a trusted key, its CKA_TRUSTED attribute must be set to true. You can either use CloudHSM CLI or the CloudHSM Management Utility (CMU) to do this.
- If using CloudHSM CLI to set a key's - CKA_TRUSTEDattribute, see Mark a key as trusted using CloudHSM CLI.
- If using the CMU to set a key's - CKA_TRUSTEDattribute, see How to mark a key as trusted with the AWS CloudHSM Management Utility.
Step 3. Use the trusted key to wrap the data key
To wrap the data key referenced in Step 1 with the trusted key you set in Step 2, refer to the following links for code samples. Each demonstrates how to wrap keys.