Danger

This is a “Hazardous Materials” module. You should ONLY use it if you’re 100% absolutely sure that you know what you’re doing because this module is full of land mines, dragons, and dinosaurs with laser guns.

Key wrapping

Key wrapping is a cryptographic construct that uses symmetric encryption to encapsulate key material. Key wrapping algorithms are occasionally utilized to protect keys at rest or transmit them over insecure networks. Many of the protections offered by key wrapping are also offered by using authenticated symmetric encryption.

cryptography.hazmat.primitives.keywrap.aes_key_wrap(wrapping_key, key_to_wrap, backend=None)

New in version 1.1.

This function performs AES key wrap (without padding) as specified in RFC 3394.

Parameters

  • wrapping_key (bytes) – The wrapping key.

  • key_to_wrap (bytes) – The key to wrap.

  • backend – An optional CipherBackend instance that supports AES.

Return bytes

The wrapped key as bytes.

cryptography.hazmat.primitives.keywrap.aes_key_unwrap(wrapping_key, wrapped_key, backend=None)

New in version 1.1.

This function performs AES key unwrap (without padding) as specified in RFC 3394.

Parameters

  • wrapping_key (bytes) – The wrapping key.

  • wrapped_key (bytes) – The wrapped key.

  • backend – An optional CipherBackend instance that supports AES.

Return bytes

The unwrapped key as bytes.

Raises

cryptography.hazmat.primitives.keywrap.InvalidUnwrap – This is raised if the key is not successfully unwrapped.

cryptography.hazmat.primitives.keywrap.aes_key_wrap_with_padding(wrapping_key, key_to_wrap, backend=None)

New in version 2.2.

This function performs AES key wrap with padding as specified in RFC 5649.

Parameters

  • wrapping_key (bytes) – The wrapping key.

  • key_to_wrap (bytes) – The key to wrap.

  • backend – An optional CipherBackend instance that supports AES.

Return bytes

The wrapped key as bytes.

cryptography.hazmat.primitives.keywrap.aes_key_unwrap_with_padding(wrapping_key, wrapped_key, backend=None)

New in version 2.2.

This function performs AES key unwrap with padding as specified in RFC 5649.

Parameters

  • wrapping_key (bytes) – The wrapping key.

  • wrapped_key (bytes) – The wrapped key.

  • backend – An optional CipherBackend instance that supports AES.

Return bytes

The unwrapped key as bytes.

Raises

cryptography.hazmat.primitives.keywrap.InvalidUnwrap – This is raised if the key is not successfully unwrapped.

Exceptions

class cryptography.hazmat.primitives.keywrap.InvalidUnwrap

This is raised when a wrapped key fails to unwrap. It can be caused by a corrupted or invalid wrapped key or an invalid wrapping key.