Using XKEK Key Domains in the HSM2

Due to popular demand, we’ve created a XKEK Key Domain How-To that explains step-by-step how XKEK Key Domains can be used with the SmartCard-HSM 4K / Nitrokey HSM2.

Key Domains are a great mechanism to support key management. Starting with version 3.1, the device supports multiple key domains, which can be of type DKEK or XKEK.

DKEK Key Domains are the traditional way of importing key shares that are assembled into the Key Encryption Key in the device. XKEK Key Domains are a novel approach, where the Key Encryption Key is the result of performing a dynamic key agreement between two devices that are participating in a key exchange. XKEK Key Domains are controlled by a certification instance, called the group signer. The group signer determines, which HSM is part of the group and can as such participate in key management.


Nice documentation. I assume there is no possibility to use cmd-line for XKEK? Or is it just easier to use the shell ?

Well, you could. I did automate some operations done in they keymanager UI by geting out the snippets of JavaScript of the key manager code and bundling them together in my own JavaScript file.

1 Like