How to import multiple keys in the HSM in multiple sessions?
I’m able to import multiple keys via Import from PKCS#12 in one go, but when trying to import at a later moment again I get either No empty key domain found or Unexpected SW1/SW2=6A88 (Checking error: Reference data not found).
What is the difference when using domain keys or not?
How to import from the command line instead of using scsh3gui.cmd?
I know it would be better to generate keys inside the HSM but we have several existing keys and for now I’m not 100% confident the keys on the Nitrokey HSM are recoverable under all situations. So for now I need to have an offline backup of all keys.
There are currently two procedures to import keys from PKCS#12:
A never variant that takes an empty key domain slot and creates a random DKEK.
An older variant where you can create a DKEK yourself and provide shares for the import.
In the first variant you can import from more than one PKCS#11 container, but you need to do that in the same session. Answer yes at “Import more PKCS#12 files ?”. Once the session is complete, the DKEK is cleared. You can create up to 255 key domain slots during device initialization, so that should be sufficient for most applications.
If you want to have all imported keys in the same key domain, then you can create that domain by importing the DKEK shares. If you want to import another key, you need to provide the DKEK shares again, so that key material can be encrypted for import.
To import keys from the command line, you could take one of the scripts from the sc-hsm-workspace and create your own key management script. We generally advice to write a key management procedure as script, so you get reproducible results when you are working with production keys.
