I already tried out the DKEK mechanism for generating a backup of a key on another HSM. Nevertheless, we are facing some problems with our key policy: What if a Key Custodian of a n-of-m DKEK share leaves? What if n key custodians leave? Isn’t then the n-of-m scheme “theoretically” broken? As far as I know, I can’t resetup a DKEK. So I would have to decrypt every single private key () and reimport it on another HSM with different DKEK and a new set of m key custodians.
I stumbled over another key domain, called XKEK. But I didn’t find any help on this. How to use XKEK? Could it be helpful for above scenarios? I think about a scenario where I can setup another HSM with a different DKEK, but exchange keys between them by XKEK. Would that be a possible solution?
Where to find information about XKEK? Is there a “How-to” about XKEK?