RSA key import onto redundant HSM2s

My situation is this: I got two brand-new Nitrokey HSM2s. My intent is to use one for an internal company PKI and to lock away the other HSM in our safe as a backup. During the setup procedure I would have a co-worker present for 4-eyes principle.

I intend to initialize both HSMs, then generate an RSA keypair on an offline Linux live system (no HDD present), then import the private key into both HSMs. Afterwards I would switch off the live system, thus destroying the volatile non-HSM copy of the RSA private key. DKEK will not be set up.

Is it possible to execute this scheme? Or do you see any potential caveats which I have not considered?

Is it possible to import RSA keys onto a Nitrokey HSM2 at all? I have not found the option in the different toolsets yet (pkcs11-tool, pkcs15-tool, sc-hsm-tool).

(I saw that this is possible after setting up DKEK, but that would also open up the potential for exporting key material in the future (given that the DKEK scheme is fulfilled). But I want the private keys to be non-extractable after the initial setup procedure has concluded.)

I would suggest to setup your scenario as described in our blog.

That way you maintain the 4-eyes principle over the whole life-time of the key. I also recommend to use the build-in key generator rather than generating keys on an external systems.

It is possible to import RSA keys into the device using the Smart Card Shell and a PKCS#12 container. You could also prepare a script that imports the key directly (Using the SmartCardHSM.js and DKEK.js scripting classes).

You could also combine both mechanisms, i.e. prepare the encrypted container on the offline system.

To import a key you will need a DKEK in any case. There is no plain import possible, all key material must be encrypted for security reasons. Even the import from PKCS#12 requires a DKEK and it basically transforms the PKCS#12 key container into the format understood by the SmartCard-HSM.