# Find all keys for an Amazon CloudHSM key store
<a name="find-all-kmsuser-keys"></a>

You can identify the keys in your Amazon CloudHSM cluster that serve as key material for your Amazon CloudHSM key store. To do that, use the [key list](https://docs.amazonaws.cn/cloudhsm/latest/userguide/cloudhsm_cli-key-list.html) command in CloudHSM CLI.

You can also use the **key list** command to find the Amazon KMS for an Amazon CloudHSM key. When Amazon KMS creates the key material for a KMS key in your Amazon CloudHSM cluster, it writes the Amazon Resource Name (ARN) of the KMS key in the key label. The **key list** command returns the `key-reference` and the `label`.

**Notes**  
The following procedures use the Amazon CloudHSM Client SDK 5 command line tool, [CloudHSM CLI](https://docs.amazonaws.cn/cloudhsm/latest/userguide/cloudhsm_cli.html). The CloudHSM CLI replaces `key-handle` with `key-reference`.  
On January 1, 2025, Amazon CloudHSM will end support for the Client SDK 3 command line tools, the CloudHSM Management Utility (CMU) and the Key Management Utility (KMU). For more information on the differences between the Client SDK 3 command line tools and the Client SDK 5 command line tool, see [Migrate from Client SDK 3 CMU and KMU to Client SDK 5 CloudHSM CLI](https://docs.amazonaws.cn/cloudhsm/latest/userguide/cloudhsm_cli-migrate-from-kmu-cmu.html) in the *Amazon CloudHSM User Guide*.

To run this procedure you need to disconnect the Amazon CloudHSM key store temporarily so you can log in as the `kmsuser` CU.

1. Disconnect the Amazon CloudHSM key store, if it is not already disconnected, then log in as `kmsuser`, as explained in [How to disconnect and log in](fix-keystore.md#login-kmsuser-1).
**Note**  
While a custom key store is disconnected, all attempts to create KMS keys in the custom key store or to use existing KMS keys in cryptographic operations will fail. This action can prevent users from storing and accessing sensitive data.

1. Use the [https://docs.amazonaws.cn/cloudhsm/latest/userguide/cloudhsm_cli-key-list.html](https://docs.amazonaws.cn/cloudhsm/latest/userguide/cloudhsm_cli-key-list.html) command in CloudHSM CLI to find all keys for the current user present in your Amazon CloudHSM cluster.

   By default, only 10 keys of the currently logged in user are displayed, and only the `key-reference` and `label` are displayed as output. For more options, see [key list](https://docs.amazonaws.cn/cloudhsm/latest/userguide/cloudhsm_cli-key-list.html#chsm-cli-key-list-syntax) in the *Amazon CloudHSM User Guide*.

   ```
   aws-cloudhsm > key list
   {
     "error_code": 0,
     "data": {
       "matched_keys": [
         {
           "key-reference": "0x0000000000000123",
           "attributes": {
             "label": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
           }
         },
         {
           "key-reference": "0x0000000000000456",
           "attributes": {
             "label": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321"
           }
         },.
         ...8 keys later...
       ],
       "total_key_count": 56,
       "returned_key_count": 10,
       "next_token": "10"
     }
   }
   ```

1. Log out and reconnect the Amazon CloudHSM key store as described in [How to log out and reconnect](fix-keystore.md#login-kmsuser-2).