Difference of an export of group signer w/wo wrap algorithm

another_Tobias · December 9, 2024, 3:11pm

Hi,

what is the difference to create a group signer key in a DKEK security domain with or without the wrap (92) algorithm for an ECC key.
Importing a wrap security group key (via export key and certificate within SCS) in a Rescue HSM shows only the algorithms ECDSA, WRAP and the key Identifier is different.

My goal is to create a backup/rescue HSM with the same configuration like the HSM key used to create the root ca.

See 6679

Thanks,
Tobias

nku · December 9, 2024, 5:55pm

AFAIK there are multiple ways to securely export a key. Classic WRAP using the DKEK to simply encrypt the key. ECDSA is a more modern approach using ECDSA signatures that attest that a HSM is part of a group and the exchange is then handled using ephemeral keys exchanged between the peers. Did not use the latter myself, yet.

another_Tobias · December 10, 2024, 8:08am

Interesting. Thanks.