Nitrokey HSM2 RSA or EC Private key extraction


We are evaluating the Nitrokey HSM2. Everthing is working as expected but would like an authoritative answer from Nitrokey before proceeding further.

Is it possible to extract an imported or generated RSA or EC Private key if one has the SO and User passwords? How about if neither is available? For example, with sufficient knowlege of the device using hardware probes, etc.?

Please let us know.


Hey hey,

generally the Nitrokey HSM contains a hsm smartcartcard, which is a smartcard that is resistant to physical tampering, so neither probes or similar equipment can extract data from it.

Exporting via software is not possible, best case you generate the key on the HSM then the plain-text key-(private)-secret will never “see the light”.


Hi Markus,

That’s very reassuring, appreciate the quick response.


Nitrokey HSM can be configured to run device-to-device encrypted export by using DKEK / XKEK logical security domains, which could allow to move the keys between the preconfigured Nitrokey HSMs. Such configuration can be done only through the initialization operation, which removes all the currently hold secrets (in other words activating DKEK is not possible without destroying already stored data).