Secure contextThis feature is available only in secure contexts (HTTPS), in some or all supporting browsers.
The exportKey()
method of the SubtleCrypto
interface exports a key: that is, it takes as input a CryptoKey
object and gives you the key in an external, portable format.
To export a key, the key must have CryptoKey.extractable
set to true
.
Keys can be exported in several formats: see Supported formats in the SubtleCrypto.importKey()
page for details.
Keys are not exported in an encrypted format: to encrypt keys when exporting them use the SubtleCrypto.wrapKey()
API instead.
Syntax
const result = crypto.subtle.exportKey(format, key);
Parameters
format
is a string value describing the data format in which the key should be exported. It can be one of the following:raw
: Raw format.pkcs8
: PKCS #8 format.spki
: SubjectPublicKeyInfo format.jwk
: JSON Web Key format.
key
is theCryptoKey
to export.
Return value
result
is aPromise
.- If
format
wasjwk
, then the promise fulfills with a JSON object containing the key. - Otherwise the promise fulfills with an
ArrayBuffer
containing the key.
- If
Exceptions
The promise is rejected when one of the following exceptions is encountered:
InvalidAccessError
- Raised when trying to export a non-extractable key.
NotSupported
- Raised when trying to export in an unknown format.
TypeError
- Raised when trying to use an invalid format.
Examples
Note: You can [[../../../../../../../mdn.github.io/dom-examples/web-crypto/export-key/index|try the working examples]] out on GitHub.
Raw export
This example exports an AES key as an ArrayBuffer
containing the bytes for the key. See the complete code on GitHub.
/*
Export the given key and write it into the "exported-key" space.
*/
async function exportCryptoKey(key) {
const exported = await window.crypto.subtle.exportKey(
"raw",
key
);
const exportedKeyBuffer = new Uint8Array(exported);
const exportKeyOutput = document.querySelector(".exported-key");
exportKeyOutput.textContent = `[${exportedKeyBuffer}]`;
}
/*
Generate an encrypt/decrypt secret key,
then set up an event listener on the "Export" button.
*/
window.crypto.subtle.generateKey(
{
name: "AES-GCM",
length: 256,
},
true,
["encrypt", "decrypt"]
).then((key) => {
const exportButton = document.querySelector(".raw");
exportButton.addEventListener("click", () => {
exportCryptoKey(key);
});
});
PKCS #8 export
This example exports an RSA private signing key as a PKCS #8 object. The exported key is then PEM-encoded. See the complete code on GitHub.
/*
Convert an ArrayBuffer into a string
from https://developers.google.com/web/updates/2012/06/How-to-convert-ArrayBuffer-to-and-from-String
*/
function ab2str(buf) {
return String.fromCharCode.apply(null, new Uint8Array(buf));
}
/*
Export the given key and write it into the "exported-key" space.
*/
async function exportCryptoKey(key) {
const exported = await window.crypto.subtle.exportKey(
"pkcs8",
key
);
const exportedAsString = ab2str(exported);
const exportedAsBase64 = window.btoa(exportedAsString);
const pemExported = `-----BEGIN PRIVATE KEY-----\n${exportedAsBase64}\n-----END PRIVATE KEY-----`;
const exportKeyOutput = document.querySelector(".exported-key");
exportKeyOutput.textContent = pemExported;
}
/*
Generate a sign/verify key pair,
then set up an event listener on the "Export" button.
*/
window.crypto.subtle.generateKey(
{
name: "RSA-PSS",
// Consider using a 4096-bit key for systems that require long-term security
modulusLength: 2048,
publicExponent: new Uint8Array([1, 0, 1]),
hash: "SHA-256",
},
true,
["sign", "verify"]
).then((keyPair) => {
const exportButton = document.querySelector(".pkcs8");
exportButton.addEventListener("click", () => {
exportCryptoKey(keyPair.privateKey);
});
});
SubjectPublicKeyInfo export
This example exports an RSA public encryption key as a PEM-encoded SubjectPublicKeyInfo object. See the complete code on GitHub.
/*
Convert an ArrayBuffer into a string
from https://developers.google.com/web/updates/2012/06/How-to-convert-ArrayBuffer-to-and-from-String
*/
function ab2str(buf) {
return String.fromCharCode.apply(null, new Uint8Array(buf));
}
/*
Export the given key and write it into the "exported-key" space.
*/
async function exportCryptoKey(key) {
const exported = await window.crypto.subtle.exportKey(
"spki",
key
);
const exportedAsString = ab2str(exported);
const exportedAsBase64 = window.btoa(exportedAsString);
const pemExported = `-----BEGIN PUBLIC KEY-----\n${exportedAsBase64}\n-----END PUBLIC KEY-----`;
const exportKeyOutput = document.querySelector(".exported-key");
exportKeyOutput.textContent = pemExported;
}
/*
Generate an encrypt/decrypt key pair,
then set up an event listener on the "Export" button.
*/
window.crypto.subtle.generateKey(
{
name: "RSA-OAEP",
// Consider using a 4096-bit key for systems that require long-term security
modulusLength: 2048,
publicExponent: new Uint8Array([1, 0, 1]),
hash: "SHA-256",
},
true,
["encrypt", "decrypt"]
).then((keyPair) => {
const exportButton = document.querySelector(".spki");
exportButton.addEventListener("click", () => {
exportCryptoKey(keyPair.publicKey);
});
});
JSON Web Key import
This code exports an ECDSA private signing key as a JSON Web Key object. See the complete code on GitHub.
/*
Export the given key and write it into the "exported-key" space.
*/
async function exportCryptoKey(key) {
const exported = await window.crypto.subtle.exportKey(
"jwk",
key
);
const exportKeyOutput = document.querySelector(".exported-key");
exportKeyOutput.textContent = JSON.stringify(exported, null, " ");
}
/*
Generate a sign/verify key pair,
then set up an event listener on the "Export" button.
*/
window.crypto.subtle.generateKey(
{
name: "ECDSA",
namedCurve: "P-384"
},
true,
["sign", "verify"]
).then((keyPair) => {
const exportButton = document.querySelector(".jwk");
exportButton.addEventListener("click", () => {
exportCryptoKey(keyPair.privateKey);
});
});
Specifications
Specification | Status | Comment |
Web Cryptography APIThe definition of 'SubtleCrypto.exportKey()' in that specification. | Recommendation | Initial definition. |
Browser compatibility
The compatibility table on this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
Update compatibility data on GitHub
Desktop | Mobile | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
exportKey
|
Chrome
Full support 37 |
Edge Partial support 12 Partial support 12 Notes' Not supported: RSA-PSS, ECDSA, ECDH. Notes' Not supported: AES-CTR. |
Firefox Full support 34 Full support 34 No support 32 — 34 Disabled' From version 32 until version 34 (exclusive): this feature is behind the |
IE Partial support 11 Partial support 11 Notes' Returns |
Opera
Full support 24 |
Safari
Full support 7 |
WebView Android
Full support 37 |
Chrome Android
Full support 37 |
Firefox Android Full support 34 Full support 34 No support 32 — 34 Disabled' From version 32 until version 34 (exclusive): this feature is behind the |
Opera Android
Full support 24 |
Safari iOS
Full support 7 |
Samsung Internet Android
Full support 6.0 |
Legend
- Full support
- Full support
- Partial support
- Partial support
- See implementation notes.'
- See implementation notes.
- User must explicitly enable this feature.'
- User must explicitly enable this feature.
See also
SubtleCrypto.importKey()
SubtleCrypto.wrapKey()
- PKCS #8 format.
- SubjectPublicKeyInfo format.
- JSON Web Key format.
SubtleCrypto.exportKey() by Mozilla Contributors is licensed under CC-BY-SA 2.5.