[Nitrokey HSM] Import key with N of M threshold

Hi, I am trying to import an AES key on a HSM configured with the N of M threshold scheme. The key was generated by another HSM, so at first I am trying to encrypt the key with the DKEK. I could export the DKEK and I do have the N password shares required to decrypt it, but I don’t know how it was encrypted. I assume a Shamir’s Secret Sharing is used… I tried the encodeAESKey() function on SCSH3, but it didn’t work so I guess I need to re-import the DKEK shares at first like in the importAES.js script. And I also found the decryptKeyShare(password, keyshare) function but as I am using the N of M threhold, it is not usefull.


We have a walk-through on Youtube regarding that using OpenSC tools, but with RSA:

I believe the first step is to import the DKEK shares, and then do so with the actual key backup.

Thank you for you reply, but I don’t want to do a back up, I would like to import a key that was not generated by a Nitrokey in the Nitrokey. My question is how to wrap the key ?

I see. I looked into the other topics on the forum, but found no similar problem yet.
I only found:

which I believe you have seen already.

Could you tell more about your environment?

  1. What are the devices’ firmware versions you are working on? I mean the previous one (where the key was exported from) and the new one (to import to).
  2. Used SCSH3 version.

I was under impression, that it should work after initializing the device and importing DKEK shares.
@sc-hsm Do you see any solution after a brief look?

I don’t know where the key was exported from. I store it in a computer and I would like to import it in a Nitrokey HSM 2.
I am using the latest stable version of scsh3 : 3.17.453.