I tried to import my private key to the HSM 2 as follow:
C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool --module …\pkcs11\opensc-pkcs11.dll -l --pin xxxxxxx --write-object C:\Docs\keys\CA_cert\myCA.key --type privkey --id 10 --label myCA_RSA2048
I got the following error:
error: PKCS11 function C_CreateObject failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54)
The SmartCard-HSM does not support key import in clear for security reasons.
You need to use the Smart Card Shell for encrypted import. There is a detailed blog that explains the process step-by-step.
Thank you very much. I will try out.
Does that process support DKEK shares with n-of-m scheme?
After selecting the DKEK, scsh only asks for a “simple” password. There seems to be no option for n-of-m scheme based DKEKs. Are there any options for that?
I do not know about SCSH3, but DKEK setup could be done by
sc-hsm-tool, a tool from OpenSC suite.
Sure, setup of DKEK is no problem.
It’s about importing a private RSA key to HSM with n-of-m scheme based DKEK.
I personally need that for desaster recovery, in the special case if I need to regenerate a n-of-m DKEK. This is necessary if n parts of the DKEK shared secret are considered insecure. This is an open drawback of the n-of-m scheme. I try to solve this by extracting private keys from a DKEK domain, then importing it to another DKEK domain. So importing a private key to a n-of-m-DKEK-initialized HSM is important!
Hi @tobibuhl have you found a way to import a private key with n of m based DKEK ? I am trying to do the same thing.