sc-hsm-tool --create-dkek-share file.pbe gives output as follows:
Please keep the generated DKEK share file in a safe location. We also recommend to keep a paper printout, in case the electronic version becomes unavailable. A printable version of the file can be generated using "openssl base64 -in ".
Sorry, but I don’t understand “paper printout” recommendation. I bought HSM2 for REAL, hardware, two factor security (something I have- HSM2, something I know - PIN). Putting all secrets on paper is … strange for me.
If I bought TWO HSM 2, is it good idea to backups/restore ECC/RSA keys from 1-st HSM 2 to 2-nd HSM 2, and write down *. pbe file(s) to BOTH HSM2 (1-st and 2-nd)? As follows:
pkcs11-tool --login --pin XXXXXX --write-object dkek-share-1.pbe --label "dkek-share-1.pbe" --id 1 --type data --private pkcs11-tool --login --pin XXXXXX --write-object dkek-share-2.pbe --label "dkek-share-2.pbe" --id 2 --type data --private
note --private option: object (file) is only viewable after a login). And than destroy all files outside of HSM2 and destroy all “paper printout” (if any).
If one of my two HSM2 will fail in the future, I can read dkek-shares and do another backup/restore. Am I right?
What do you think about advantages and disadvantages of writting dkek-shares to HSM2 (with --private flag of course).
What about using for scenerio above other flags like --extractable
–sensitive is not an option because we need in the future dkek-shares in plaintext, without wrap.