Hi, I am trying to import an AES key on a HSM configured with the N of M threshold scheme. The key was generated by another HSM, so at first I am trying to encrypt the key with the DKEK. I could export the DKEK and I do have the N password shares required to decrypt it, but I don’t know how it was encrypted. I assume a Shamir’s Secret Sharing is used… I tried the encodeAESKey() function on SCSH3, but it didn’t work so I guess I need to re-import the DKEK shares at first like in the importAES.js script. And I also found the decryptKeyShare(password, keyshare) function but as I am using the N of M threhold, it is not usefull.
Hi!
We have a walk-through on Youtube regarding that using OpenSC tools, but with RSA:
- https://www.youtube.com/watch?v=V7wrlOqhrgE (Nitrokey HSM’s M-of-N Threshold Scheme)
I believe the first step is to import the DKEK shares, and then do so with the actual key backup.
Thank you for you reply, but I don’t want to do a back up, I would like to import a key that was not generated by a Nitrokey in the Nitrokey. My question is how to wrap the key ?
I see. I looked into the other topics on the forum, but found no similar problem yet.
I only found:
- Nitrokey HSM cannot figure out how to import key from PKCS#12
- https://vessokolev.blogspot.com/2019/06/smartcard-hsm-usb-token-using-smart.html
- How to use AES on NitroKey HSM2
which I believe you have seen already.
Could you tell more about your environment?
- What are the devices’ firmware versions you are working on? I mean the previous one (where the key was exported from) and the new one (to import to).
- Used SCSH3 version.
I was under impression, that it should work after initializing the device and importing DKEK shares.
@sc-hsm Do you see any solution after a brief look?
I don’t know where the key was exported from. I store it in a computer and I would like to import it in a Nitrokey HSM 2.
I am using the latest stable version of scsh3 : 3.17.453.