Using XKEK Key Domains in the HSM2

Due to popular demand, we’ve created a XKEK Key Domain How-To that explains step-by-step how XKEK Key Domains can be used with the SmartCard-HSM 4K / Nitrokey HSM2.

Key Domains are a great mechanism to support key management. Starting with version 3.1, the device supports multiple key domains, which can be of type DKEK or XKEK.

DKEK Key Domains are the traditional way of importing key shares that are assembled into the Key Encryption Key in the device. XKEK Key Domains are a novel approach, where the Key Encryption Key is the result of performing a dynamic key agreement between two devices that are participating in a key exchange. XKEK Key Domains are controlled by a certification instance, called the group signer. The group signer determines, which HSM is part of the group and can as such participate in key management.