Danger

This is a “Hazardous Materials” module. You should ONLY use it if you’re 100% absolutely sure that you know what you’re doing because this module is full of land mines, dragons, and dinosaurs with laser guns.

Key wrapping

Key wrapping is a cryptographic construct that uses symmetric encryption to encapsulate key material. Key wrapping algorithms are occasionally utilized to protect keys at rest or transmit them over insecure networks. Many of the protections offered by key wrapping are also offered by using authenticated symmetric encryption.

cryptography.hazmat.primitives.keywrap.aes_key_wrap(wrapping_key, key_to_wrap)[source]

Added in version 1.1.

This function performs AES key wrap (without padding) as specified in RFC 3394.

Parameters:
  • wrapping_key (bytes) – The wrapping key.

  • key_to_wrap (bytes) – The key to wrap.

Return bytes:

The wrapped key as bytes.

cryptography.hazmat.primitives.keywrap.aes_key_unwrap(wrapping_key, wrapped_key)[source]

Added in version 1.1.

This function performs AES key unwrap (without padding) as specified in RFC 3394.

Parameters:
  • wrapping_key (bytes) – The wrapping key.

  • wrapped_key (bytes) – The wrapped key.

Return bytes:

The unwrapped key as bytes.

Raises:

cryptography.hazmat.primitives.keywrap.InvalidUnwrap – This is raised if the key is not successfully unwrapped.

cryptography.hazmat.primitives.keywrap.aes_key_wrap_with_padding(wrapping_key, key_to_wrap)[source]

Added in version 2.2.

This function performs AES key wrap with padding as specified in RFC 5649.

Parameters:
  • wrapping_key (bytes) – The wrapping key.

  • key_to_wrap (bytes) – The key to wrap.

Return bytes:

The wrapped key as bytes.

cryptography.hazmat.primitives.keywrap.aes_key_unwrap_with_padding(wrapping_key, wrapped_key)[source]

Added in version 2.2.

This function performs AES key unwrap with padding as specified in RFC 5649.

Parameters:
  • wrapping_key (bytes) – The wrapping key.

  • wrapped_key (bytes) – The wrapped key.

Return bytes:

The unwrapped key as bytes.

Raises:

cryptography.hazmat.primitives.keywrap.InvalidUnwrap – This is raised if the key is not successfully unwrapped.

Exceptions

class cryptography.hazmat.primitives.keywrap.InvalidUnwrap[source]

This is raised when a wrapped key fails to unwrap. It can be caused by a corrupted or invalid wrapped key or an invalid wrapping key.