What can I do with the printout of the dkek-share?

Peacekeeper · January 8, 2021, 11:25am

I am using the HSM for my keys and a common DKEK-share to backup/restore the keys on a different HSM. That works very well. During the creation of the DKEK a statement is given to keep a printout by “openssl -base64 -in <DKEK-file>”

Now I wonder , how I would use this printout ? From a logical point of view , I could imagine that

I create a file with the content of the printout
I do something with openssl to convert that file back to a *.pbe that could be used as a DKEK
load the DKEK in a new HSM

Is my thinking right ? And how would I convert the txt file back to a pbe ? ( ← what are the cmds ?

sc-hsm · January 11, 2021, 8:26am

The file contains the encrypted DKEK share. If you loose the file you are out of luck to recreate the DKEK share and import a backup into the HSM.

That is why we recommend to keep a printout of the encrypted DKEK share for very important key material. But it’s only a recommendation, not a must.

The printout is a one-to-one version of the file. You could use other means to backup the file of course.

Peacekeeper · January 11, 2021, 9:19am

Hmm, I I understood the Theorie, but can we go more practical ?!
So the printout after above OpenSSL is „abc“ .
What’s next when I need to recover the DKEK share ?

sc-hsm · January 11, 2021, 10:13am

The DKEK share is stored in binary format. The conversion to base64 is only done to get a printable output. The full circle is

openssl enc -base64 <dkek-share.pbe >dkek-share.txt

and

openssl enc -base64 -d <dkek-share.txt >dkek-share.pbe

Conversion to base64 does not touch the password-based-encryption of the share.

Peacekeeper · January 11, 2021, 10:31am

Aaahhh ! Thank you ! - Now it is fully solved