Backup HSM2 without setting DKEK

I didn’t set DKEK before initialization. Are there any other ways to back up HSM2? I saw the below article in “”. The DKEK must be set during initialization and before any other keys are generated. For a device initialized without a DKEK, keys can never be exported.

A random DKEK is generated if you did not create your own. This means you can create backups but only import it to the same device as long it has not been reset (as a new DKEK would be generated).

You could protect against user error like deleting a key but not against hardware error and you cannot import it into another HSM.


There is also a backup feature called XKEK Key Domains.

A SmartCard-HSM that is part of a XKEK Key Domain can exchange key material in encrypted form. Rather than using a static DKEK, the XKEK is the result of an authenticated ECDH operation between two devices. Devices authenticate each other and ensure that they belong to the same key domain. A key domain is controlled by an EC key called the group signer. As the name implies, the group signer issues Key Domain Membership certificates that allow a device to join the key domain.

That scheme is fairly sophisticated and not really meant for the end-user. It is rather something one would implement in systems that require tight control over key distribution (Like encryption key escrow or shared keys in clusters).

A HowTo for XKEK Key Domains can be found in the CDN.