I don’t understand how DKEK shares generating works. I have two HSMs. Let’s assume that I issued “sc-hsm-tool -X -s 2”. This means that two DKEK shares are required. But then I can create 3, 4 or I assume 100 shares using “sc-shm-tool -C share.pbe” and use e.g. 4th and 6th to init my token. This basically means that all shares are either identical internally or it doesn’t really matter which I pass as a share, it is just number of shares that is important. Of course I assume that the same shares must be imported into second HSM if I want to import secrets exported from first HSM.
So how is it? Why isn’t number of shares controlled by sc-hsm-tool? Documentation suggests that token IS used during share generation, so why isn’t it used to control how many shares are created?
TIA,
JD