My situation is this: I got two brand-new Nitrokey HSM2s. My intent is to use one for an internal company PKI and to lock away the other HSM in our safe as a backup. During the setup procedure I would have a co-worker present for 4-eyes principle.
I intend to initialize both HSMs, then generate an RSA keypair on an offline Linux live system (no HDD present), then import the private key into both HSMs. Afterwards I would switch off the live system, thus destroying the volatile non-HSM copy of the RSA private key. DKEK will not be set up.
Is it possible to execute this scheme? Or do you see any potential caveats which I have not considered?
Is it possible to import RSA keys onto a Nitrokey HSM2 at all? I have not found the option in the different toolsets yet (pkcs11-tool, pkcs15-tool, sc-hsm-tool).
(I saw that this is possible after setting up DKEK, but that would also open up the potential for exporting key material in the future (given that the DKEK scheme is fulfilled). But I want the private keys to be non-extractable after the initial setup procedure has concluded.)