Approach to download keypair to Nitro HSM


My use case is the migration from an Aladdin eToken to an alternative, using an existing RSA key created with openssl. The application is using pykcs11 to generate XML signatures.

I am using the same arguments for nitrohsm and etoken, except --module:

pkcs11-tool --login --pin 648219 -w /ramdisk/testcert_key.der --type privkey --label sigkey --so-pin="$SOPIN"

While eToken works, I receive CKR_FUNCTION_NOT_SUPPORTED (0x54) with the NitroHSM. For the certificate I get CKR_GENERAL_ERROR.

Do I need to use another approach? Encrypting the key with the DKEK, and then use something like sc-hsm-tool --unwrap-key? Is there some documentation available?

I am using CentOS 7.6.1810 in a docker image and OpenSC 0.19.


Did you initialize the device first? Did you tried general connectivity? Maybe it is best to test the setup first with a VM or a proper system and try with docker afterwards. As far as I know the usage of system components can be tricky with docker unless you know exactly what you are doing.