What can I do with the printout of the dkek-share?

I am using the HSM for my keys and a common DKEK-share to backup/restore the keys on a different HSM. That works very well. During the creation of the DKEK a statement is given to keep a printout by “openssl -base64 -in <DKEK-file>

Now I wonder , how I would use this printout ? From a logical point of view , I could imagine that

  • I create a file with the content of the printout
  • I do something with openssl to convert that file back to a *.pbe that could be used as a DKEK
  • load the DKEK in a new HSM

Is my thinking right ? And how would I convert the txt file back to a pbe ? ( ← what are the cmds ?

The file contains the encrypted DKEK share. If you loose the file you are out of luck to recreate the DKEK share and import a backup into the HSM.

That is why we recommend to keep a printout of the encrypted DKEK share for very important key material. But it’s only a recommendation, not a must.

The printout is a one-to-one version of the file. You could use other means to backup the file of course.

Hmm, I :thinking: I understood the Theorie, but can we go more practical ?!
So the printout after above OpenSSL is „abc“ .
What’s next when I need to recover the DKEK share ?

The DKEK share is stored in binary format. The conversion to base64 is only done to get a printable output. The full circle is

openssl enc -base64 <dkek-share.pbe >dkek-share.txt


openssl enc -base64 -d <dkek-share.txt >dkek-share.pbe

Conversion to base64 does not touch the password-based-encryption of the share.

Aaahhh ! Thank you ! - Now it is fully solved :smiley: