My company wants to have a scheme where there are 5 key custodians for a DKEK share. 2 will be required to decrypt the share. If someone leaves the company, we want to recreate the DKEK share with 5 new SSS values so we can always maintain 5 people.
Is there support for doing this in sc-hsm-tool? I am having a hard time understanding how this would be possible. I have not been able to find information online or by running “sc-hsm-tool --help”
Control of the DKEK M-of-n scheme is feasible with sc-hsm-tool. This is how to do it.
Beware though! This allows you only to export and import encrypted content between devices sharing the same DKEK. It has nothing to do with actual authentication tu use materials on a given device. Support for m-of-n authentication is not implemented in sc-hsm-tool.
If you’re okay with having only the DKEK protected with a m-of-n scheme, and having a simple PIN for authentication, then go ahead, you should be fine with sc-hsm-tool.
If you absolutely need m-of-n authentication with nitrokeys HSM, the only way would be to go with SmartCard Shell and PKIAAS. But I would advise against that. Learn more in my user experience review.
Hope this helps
I don’t think you understand my question. It is about regenerating the DKEK share while maintaining the key material. Nothing to do with threshold AUTH, it has to do with threshold DKEK encipherment.
Yes, that is the point I wanted to make clear.
Doesn’t the first link I gave you answer your question, then?
That is how you create a DKEK share with threshold decryption using SSS. The question I have is if a certain number of people leave, how can you regenerate a new DKEK share (new underlying key) and import it into the HSM while maintaining the key material.
If you decrypt the DKEK share then encrypt it with new custodians, if a few old custodians who left are untrusted they can get together and get the same key with the old encrypted DKEK file. The DKEK share needs to be regenerated and reimported.
