SubtleCrypto: exportKey() method
Baseline Widely available *
This feature is well established and works across many devices and browser versions. It’s been available across browsers since January 2020.
* Some parts of this feature may have varying levels of support.
Secure context: This feature is available only insecure contexts (HTTPS), in some or allsupporting browsers.
Note: This feature is available inWeb Workers.
TheexportKey() method of theSubtleCryptointerface exports a key: that is, it takes as input aCryptoKey objectand gives you the key in an external, portable format.
To export a key, the key must haveCryptoKey.extractable set totrue.
Keys can be exported in several formats: seeSupported formats in theSubtleCrypto.importKey()page for details.
Keys are not exported in an encrypted format: to encrypt keys when exporting them usetheSubtleCrypto.wrapKey()API instead.
Syntax
exportKey(format, key)Parameters
formatA string value describing the data format in which the key should be exported. It can be one of the following:
raw:Raw format.pkcs8:PKCS #8 format.spki:SubjectPublicKeyInfo format.jwk:JSON Web Key format.
keyThe
CryptoKeyto export.
Return value
APromise.
- If
formatwasjwk, then the promise fulfillswith a JSON object containing the key. - Otherwise the promise fulfills with an
ArrayBuffercontaining the key.
Exceptions
The promise is rejected when one of the following exceptions is encountered:
InvalidAccessErrorDOMExceptionRaised when trying to export a non-extractable key.
NotSupportedDOMExceptionRaised when trying to export in an unknown format.
TypeErrorRaised when trying to use an invalid format.
Examples
Note:You cantry the working examples out on GitHub.
Raw export
This example exports an AES key as anArrayBuffer containing the bytes forthe key.See the complete code on GitHub.
/*Export the given key and write it into the "exported-key" space.*/async function exportCryptoKey(key) { const exported = await window.crypto.subtle.exportKey("raw", key); const exportedKeyBuffer = new Uint8Array(exported); const exportKeyOutput = document.querySelector(".exported-key"); exportKeyOutput.textContent = `[${exportedKeyBuffer}]`;}/*Generate an encrypt/decrypt secret key,then set up an event listener on the "Export" button.*/window.crypto.subtle .generateKey( { name: "AES-GCM", length: 256, }, true, ["encrypt", "decrypt"], ) .then((key) => { const exportButton = document.querySelector(".raw"); exportButton.addEventListener("click", () => { exportCryptoKey(key); }); });PKCS #8 export
This example exports an RSA private signing key as a PKCS #8 object. The exported keyis then PEM-encoded.See the complete code on GitHub.
/*Convert an ArrayBuffer into a stringfrom https://developer.chrome.com/blog/how-to-convert-arraybuffer-to-and-from-string/*/function ab2str(buf) { return String.fromCharCode.apply(null, new Uint8Array(buf));}/*Export the given key and write it into the "exported-key" space.*/async function exportCryptoKey(key) { const exported = await window.crypto.subtle.exportKey("pkcs8", key); const exportedAsString = ab2str(exported); const exportedAsBase64 = window.btoa(exportedAsString); const pemExported = `-----BEGIN PRIVATE KEY-----\n${exportedAsBase64}\n-----END PRIVATE KEY-----`; const exportKeyOutput = document.querySelector(".exported-key"); exportKeyOutput.textContent = pemExported;}/*Generate a sign/verify key pair,then set up an event listener on the "Export" button.*/window.crypto.subtle .generateKey( { name: "RSA-PSS", // Consider using a 4096-bit key for systems that require long-term security modulusLength: 2048, publicExponent: new Uint8Array([1, 0, 1]), hash: "SHA-256", }, true, ["sign", "verify"], ) .then((keyPair) => { const exportButton = document.querySelector(".pkcs8"); exportButton.addEventListener("click", () => { exportCryptoKey(keyPair.privateKey); }); });SubjectPublicKeyInfo export
This example exports an RSA public encryption key as a PEM-encoded SubjectPublicKeyInfoobject.See the complete code on GitHub.
/*Convert an ArrayBuffer into a stringfrom https://developer.chrome.com/blog/how-to-convert-arraybuffer-to-and-from-string/*/function ab2str(buf) { return String.fromCharCode.apply(null, new Uint8Array(buf));}/*Export the given key and write it into the "exported-key" space.*/async function exportCryptoKey(key) { const exported = await window.crypto.subtle.exportKey("spki", key); const exportedAsString = ab2str(exported); const exportedAsBase64 = window.btoa(exportedAsString); const pemExported = `-----BEGIN PUBLIC KEY-----\n${exportedAsBase64}\n-----END PUBLIC KEY-----`; const exportKeyOutput = document.querySelector(".exported-key"); exportKeyOutput.textContent = pemExported;}/*Generate an encrypt/decrypt key pair,then set up an event listener on the "Export" button.*/window.crypto.subtle .generateKey( { name: "RSA-OAEP", // Consider using a 4096-bit key for systems that require long-term security modulusLength: 2048, publicExponent: new Uint8Array([1, 0, 1]), hash: "SHA-256", }, true, ["encrypt", "decrypt"], ) .then((keyPair) => { const exportButton = document.querySelector(".spki"); exportButton.addEventListener("click", () => { exportCryptoKey(keyPair.publicKey); }); });JSON Web Key export
This example exports an ECDSA private signing key as a JSON Web Key object.See the complete code on GitHub.
/*Export the given key and write it into the "exported-key" space.*/async function exportCryptoKey(key) { const exported = await window.crypto.subtle.exportKey("jwk", key); const exportKeyOutput = document.querySelector(".exported-key"); exportKeyOutput.textContent = JSON.stringify(exported, null, " ");}/*Generate a sign/verify key pair,then set up an event listener on the "Export" button.*/window.crypto.subtle .generateKey( { name: "ECDSA", namedCurve: "P-384", }, true, ["sign", "verify"], ) .then((keyPair) => { const exportButton = document.querySelector(".jwk"); exportButton.addEventListener("click", () => { exportCryptoKey(keyPair.privateKey); }); });Specifications
| Specification |
|---|
| Web Cryptography Level 2 # SubtleCrypto-method-exportKey |
Browser compatibility
Loading…