From: "John Magne" <jmagne(a)redhat.com&gt; To: "pki-devel" <pki-devel(a)redhat.com&gt; Sent: Tuesday, September 22, 2015 11:12:49 AM Subject: [pki-devel][PATCH] 0052-KRA-key-archival-recovery-via-cli-should-honor-encry.patch [PATCH] KRA: key archival/recovery via cli - should honor encryption/decryption flags. Ticket # 1597 Currently, KRA allows sites to opt for doing encryption/decryption instead of wrapping/unwrapping for key archival and recovery. The new cli code was later added without such support. We should honor the same flags when cli is called to do key archival and recovery. This feature was due to a specific customer request. Here is what is now supported: 1. When the pki cli tool is used to recover a asymmetric private key, support is there to do so with encrypt / decrypt. 2. The passphrase and generic data facility already uses encrypt / decrypt so nothing here was needed. Calling it out since this will possibly be a customer issue. 3. While under the hood, it made sense to add this functionality to the Symmetric key archival and recovery operations. 4. All tests in DRMTest.java worked successfully when the kra was configured to support this feature and configured to not observe this feature. What is missing: We have since added a method to do a server side key generation of a asymmetric key pair in the kra and also archive it there at the same time. In order to do encrypt / decrypt in this case we need to extract the key contents out of a key object that is used to generate this key. It proved problematic to extract said key. This should be ok since the customer only needs to recover an asymmetric key in their test cases. We could look into doing this later if a pressing need arises.