Hello,
I am trying to use a n-of-m DKEK scheme for backup of the private keys on my HSM device. Here’s the scenario:
-
Have two Nitrokey HSM devices
-
Initialize HSM_1 with an n-of-m DKEK scheme (3 of 6 to be more precise)
sc-hsm-tool --create-dkek-share dkek.pbe --pwd-shares-threshold 3 --pwd-shares-total 6
sc-hsm-tool --initialize --so-pin env:SOPIN --pin env:USERPIN --dkek-shares 1
sc-hsm-tool --import-dkek-share dkek.pbe --pwd-shares-total 3 -
Create key pair on HSM_1 with openssl and pkcs11 engine
-
Export the private key from HSM_1
sc-hsm-tool --wrap-key privkey.bin --key-reference --pin env:USERPIN -
Remove HSM_1 and insert HSM_2
-
Initialize HSM_2 and import the DKEK created with the aid of HSM_1
sc-hsm-tool --initialize --so-pin env:SOPIN --pin env:USERPIN --dkek-shares 1
sc-hsm-tool sc-hsm-tool --import-dkek-share dkek.pbe --pwd-shares-threshold 3 --pwd-shares-total 6 -
Import the private key previously exported from HSM_1 onto HSM_2
sc-hsm-tool --unwrap-key privkey.bin --key-reference 5 --pin env:USERPIN -
Output from the above command:
Using reader with a card: Nitrokey Nitrokey HSM (DENK01031940000 ) 00 00
Wrapped key contains:
Key blob
Private Key Description (PRKD)
Key successfully imported -
Checking for the presence of the key on the HSM_2 yields nothing
pkcs15-tool -D
Using reader with a card: Nitrokey Nitrokey HSM (DENK01031940000 ) 00 00
PKCS#15 Card [SmartCard-HSM]:
Version : 0
Serial number : DENK0103194
Manufacturer ID: www.CardContact.de
Flags :PIN [UserPIN]
Object Flags : [0x03], private, modifiable
Auth ID : 02
ID : 01
Flags : [0x812], local, initialized, exchangeRefData
Length : min_len:6, max_len:15, stored_len:0
Pad char : 0x00
Reference : 129 (0x81)
Type : ascii-numeric
Path : e82b0601040181c31f0201::
Tries left : 3PIN [SOPIN]
Object Flags : [0x01], private
ID : 02
Flags : [0x9A], local, unblock-disabled, initialized, soPin
Length : min_len:16, max_len:16, stored_len:0
Pad char : 0x00
Reference : 136 (0x88)
Type : bcd
Path : e82b0601040181c31f0201::
Tries left : 15
Although the import seems to be successful, the key is not present on the second HSM_2 device. The DKEK key check value is identical on both devices: XXXXA1B8E714XXXX
What am I doing wrong?