I am using the HSM for my keys and a common DKEK-share to backup/restore the keys on a different HSM. That works very well. During the creation of the DKEK a statement is given to keep a printout by “
openssl -base64 -in <DKEK-file>”
Now I wonder , how I would use this printout ? From a logical point of view , I could imagine that
- I create a file with the content of the printout
- I do something with openssl to convert that file back to a *.pbe that could be used as a DKEK
- load the DKEK in a new HSM
Is my thinking right ? And how would I convert the txt file back to a pbe ? ( ← what are the cmds ?
The file contains the encrypted DKEK share. If you loose the file you are out of luck to recreate the DKEK share and import a backup into the HSM.
That is why we recommend to keep a printout of the encrypted DKEK share for very important key material. But it’s only a recommendation, not a must.
The printout is a one-to-one version of the file. You could use other means to backup the file of course.
Hmm, I I understood the Theorie, but can we go more practical ?!
So the printout after above OpenSSL is „abc“ .
What’s next when I need to recover the DKEK share ?
The DKEK share is stored in binary format. The conversion to base64 is only done to get a printable output. The full circle is
openssl enc -base64 <dkek-share.pbe >dkek-share.txt
openssl enc -base64 -d <dkek-share.txt >dkek-share.pbe
Conversion to base64 does not touch the password-based-encryption of the share.
Aaahhh ! Thank you ! - Now it is fully solved