I have multiple HSMs and using a 3-of-5 threshold for the DKEK to create a single security domain and backup the private keys to different HSMs works fine.
sc-hsm-tool --create-dkek-share dkek-share.pbe --pwd-shares-threshold 3 --pwd-shares-total 5)
However, what is the recommended way for the following use case:
One of the 5 current key custodians is leaving and another one is joining.
The obvious straight-forward procedure is that the former custodian hands over his/her key share to the new custodian.
But what if that share was lost, or the former custodian needs to be explicitly excluded from holding a share?
Or more general: Is it possible to create a completely new 3-of-5 threshold - DKEK (involving 5 new key custodians) - and migrate the existing keys from the former security domain to the new one (by involving 3 of the old 5 key custodians)?