Nitrokey HSM2 seal/unseal

Hello everyone!
We have bought NK HSM2 for our internal offline root CA with hope that with m-of-n auth scheme we would be able to replicate “sealed/unsealed” behavior that HashiCorp Vault has implemented e.g. that inserted HSM would be in “sealed” state and would need to have lets say 2 out of 4 shares to enter “unsealed” state.
That would mean that even with PIN for signing operation would fail, only SO-PIN would work so that HSM can be reinitialized to clean state.
After entering “unsealed” state operator could use PIN to sign requests.
Default state would be “sealed” which means if HSM is moved or power is out HSM cant be compromised.
Is this even possible or its always only PIN enough to sign and DKEK is for other operations like key backup.

Here is what I had in mind:
Seal/Unseal | Vault by HashiCorp (

Thank you for answers.

We will be using XCA for easy PKI management and we are open to buy more HSMs if required for setup.

1 Like

Is there any progress on this issue, or should I see if I can run an implementation?

Have you seen this?