Nitrokey HSM - n-of-m threshold for DKEK backup: imported keys cannot be listed on the backup device

Nitrokeys
1

Hello,

I am trying to use a n-of-m DKEK scheme for backup of the private keys on my HSM device. Here’s the scenario:

  1. Have two Nitrokey HSM devices

  2. Initialize HSM_1 with an n-of-m DKEK scheme (3 of 6 to be more precise)
    sc-hsm-tool --create-dkek-share dkek.pbe --pwd-shares-threshold 3 --pwd-shares-total 6
    sc-hsm-tool --initialize --so-pin env:SOPIN --pin env:USERPIN --dkek-shares 1
    sc-hsm-tool --import-dkek-share dkek.pbe --pwd-shares-total 3

  3. Create key pair on HSM_1 with openssl and pkcs11 engine

  4. Export the private key from HSM_1
    sc-hsm-tool --wrap-key privkey.bin --key-reference --pin env:USERPIN

  5. Remove HSM_1 and insert HSM_2

  6. Initialize HSM_2 and import the DKEK created with the aid of HSM_1
    sc-hsm-tool --initialize --so-pin env:SOPIN --pin env:USERPIN --dkek-shares 1
    sc-hsm-tool sc-hsm-tool --import-dkek-share dkek.pbe --pwd-shares-threshold 3 --pwd-shares-total 6

  7. Import the private key previously exported from HSM_1 onto HSM_2
    sc-hsm-tool --unwrap-key privkey.bin --key-reference 5 --pin env:USERPIN

  8. Output from the above command:
    Using reader with a card: Nitrokey Nitrokey HSM (DENK01031940000 ) 00 00
    Wrapped key contains:
    Key blob
    Private Key Description (PRKD)
    Key successfully imported

  9. Checking for the presence of the key on the HSM_2 yields nothing
    pkcs15-tool -D
    Using reader with a card: Nitrokey Nitrokey HSM (DENK01031940000 ) 00 00
    PKCS#15 Card [SmartCard-HSM]:
    Version : 0
    Serial number : DENK0103194
    Manufacturer ID: www.CardContact.de
    Flags :

    PIN [UserPIN]
    Object Flags : [0x03], private, modifiable
    Auth ID : 02
    ID : 01
    Flags : [0x812], local, initialized, exchangeRefData
    Length : min_len:6, max_len:15, stored_len:0
    Pad char : 0x00
    Reference : 129 (0x81)
    Type : ascii-numeric
    Path : e82b0601040181c31f0201::
    Tries left : 3

    PIN [SOPIN]
    Object Flags : [0x01], private
    ID : 02
    Flags : [0x9A], local, unblock-disabled, initialized, soPin
    Length : min_len:16, max_len:16, stored_len:0
    Pad char : 0x00
    Reference : 136 (0x88)
    Type : bcd
    Path : e82b0601040181c31f0201::
    Tries left : 15

Although the import seems to be successful, the key is not present on the second HSM_2 device. The DKEK key check value is identical on both devices: XXXXA1B8E714XXXX
What am I doing wrong?

2

Nevermind… Since I was using only one HSM device for testing, it turns out the Nitrokey HSM is not really reinitialized until one removes it from USB and puts it back in.

1 Like