Importing private key fail on HSM2

I tried to import my private key to the HSM 2 as follow:

C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool --module …\pkcs11\opensc-pkcs11.dll -l --pin xxxxxxx --write-object C:\Docs\keys\CA_cert\myCA.key --type privkey --id 10 --label myCA_RSA2048

I got the following error:

error: PKCS11 function C_CreateObject failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54)
Aborting.

Please advice

The SmartCard-HSM does not support key import in clear for security reasons.

You need to use the Smart Card Shell for encrypted import. There is a detailed blog that explains the process step-by-step.

Thank you very much. I will try out.

Does that process support DKEK shares with n-of-m scheme?

After selecting the DKEK, scsh only asks for a “simple” password. There seems to be no option for n-of-m scheme based DKEKs. Are there any options for that?

I do not know about SCSH3, but DKEK setup could be done by sc-hsm-tool, a tool from OpenSC suite.

Sure, setup of DKEK is no problem.

It’s about importing a private RSA key to HSM with n-of-m scheme based DKEK.

I personally need that for desaster recovery, in the special case if I need to regenerate a n-of-m DKEK. This is necessary if n parts of the DKEK shared secret are considered insecure. This is an open drawback of the n-of-m scheme. I try to solve this by extracting private keys from a DKEK domain, then importing it to another DKEK domain. So importing a private key to a n-of-m-DKEK-initialized HSM is important!