Nitrokey HSM2 & Smartcard-HSM Key wrapping


After installing pkcs11-tools, and interfacing with the Smartcard-HSM, I could not see any way of wrapping the keys using the pkcs11-tools (p11wrap) with an AES Key.
After looking more closely, I could not create an AES wrapping key, which looks normal as I understand that this operation is made using a specific DKEK key.
My question is : Hw can I wrap/unwrap keys using the p11wrap interface and AES keys ? Can I even do this, or am I obliged to go through RAS-based wrapping methods ?


Key wrapping is an internal SmartCard-HSM mechanism using an AES-256 Key Encryption Key. The KEK can be established using key shares in a DKEK Key Domain or using mutually authenticated ECDH keys in a XKEK Key Domain.

There are no other key wrap or unwrap methods in the SmartCard-HSM, but you can wrap and unwrap sessions keys in OpenSC using the RSA Key Wrap mechanisms.