Do I need two Nitrokeys to have two custodians?

I’m reading this and if I wish to create two people who are in charge of the key via DKEK, must I need two Nitrokey USB keys?

The tutorial doesn’t mention anything about the hardware keys such as how many I need and when do I put in which key, if any. It covers only software commands.

When you create a DKEK, you can split the key in a way so that 2 people are needed to import the DKEK key into the HSM. So, for example, your HSM gets broken, you get another one, and then you have to import DKEK (2 or more people need to enter their secrets) and then you have to import the keys from the DKEK-encrypted backups (.wky files).

Once the DKEK is in place and the keys are imported onto the device, DKEK custodians have nothing to do and the keys can be used if the HSM is authenticated.

A completely different feature from DKEK is card authentication. It is possible to use public key authentication , with an m-of-n scheme. I think for this one you need more Nitrokey HSM/SmartCard HSM devices to keep user authentication keys. There are some biometric options as well (no clue here sorry).

1 Like

Thank you so much. This is so clear. I googled and read many but none actually explained it so succinctly. Most articles only focused on the software commands and not mentioning the hardware aspect and what file format are we expecting. You should write a blog post regarding this.

1 Like

Do I need to have two Nitrokeys since they are two people? I’m confused over this cos this tutorial seems to suggest there’re two hardware keys.

Sorry, what does “no the device” mean?

Typo, sorry. I have edited the original command. What I meant here was

once the DKEK is in place and the keys are imported onto the device…

No, you don’t need a second device. Until minute 4 of the tutorial you can see that

  • Alice imports her DKEK share on device 1
  • Bob imports his DKEK share on device 1
  • User PIN on device 1 is used to generate the key
  • The key can now be used on device 1 just by using the “user PIN”. Alice and Bob have nothing to do here anymore.

Then we learn how to export such a key and copy everything to device 2. Alice and Bob need to agree again, but only to import the DKEK (after 5:15). At 5:50 when both shares are imported, Alice and Bob have nothing more to do with the device. Anyone who knows the PIN can import the wrapped key file key-wrap.bin.

So importing the DKEK means something like

we, the key custodians, agree that any key that has ever belonged to this DKEKs’ security domain can be imported and used on THIS device. Anyone who can authenticated to this device may use the keys freely.