I found the reason about the last question:
The conclusion is that:
- SmartCard–HSM tends to lock everything that seems to be “bad practice”.
But as said on another topic, there are situations where importing keys is legit:
- We are interfacing an HSM in the signature mechanism of a manufacturer (for the secure boot of our boards)
- The signature mechanism is made to work with key files by design, we did some modifications to make it working with HSM, but we can’t change the signature algorithms.
- And this is not going to change for this series of chip
With their algorithm, we need to “encrypt and then sign” the AES Key, with another key:
- If the AES Key (to encrypt) is in the HSM then it’s impossible.
- We cant use an internal key as plain text input of AES-CBC encryption, as seen here.
- PKCS11 WRAP algorithm exists, but this is not the same algorithm as what the manufacturer uses.
- So we need to do “these operations outside the HSM and then import the keys”.
- Of course, using a specific procedure with N people, watching what 1 person is doing
For the backup, we are simply going to “import the key” in the backup Nitrokey using Smart Card HSM, like the first import.
Topic closed.