Wrapping an AES key from Nitrokey HSM2

notthetup · July 4, 2025, 4:00am

Hello again,

I am trying to backup an AES key that I created on a Nitrokey HSM using the DKEK share method.

Firstly I initialized the Nitrokey HSM2 using

$ sc-hsm-tool --initialize --dkek-shares 1 --label "myhsm"

Then, I created the dkek, and imported it using

$ sc-hsm-tool --create-dkek-share myhsm.pbe
$ sc-hsm-tool --import-dkek-share myhsm.pbe

I created the key using the method shown here.

The HSM has the DKEK and also the key

$ sc-hsm-tool
Using reader with a card: Nitrokey Nitrokey HSM (<HSM_ID>         ) 00 00
Version              : 4.1
Config options       :
  User PIN reset with SO-PIN enabled
SO-PIN tries left    : 15
User PIN tries left  : 3
DKEK shares          : 1
DKEK key check value : 374338542608E779


$ pkcs11-tool --list-objects --type secrkey
Using slot 0 with a present token (0x1)
Secret Key Object; AES length 32
  label:
  ID:         01
  Usage:      encrypt, decrypt
  Access:     sensitive, always sensitive, never extractable, local

But when I try to wrap(export) it, I get this error.

$ sc-hsm-tool --wrap-key  myhsm.backup  --key-reference 01
Using reader with a card: Nitrokey Nitrokey HSM (<HSM_ID>         ) 00 00
sc_card_ctl(*, SC_CARDCTL_SC_HSM_WRAP_KEY, *) failed with Card does not support the requested operation

Any idea what I’m missing? I am using the version of sc-hsm-tool compiled from the Github source.

sc-hsm · July 4, 2025, 6:40am

OpenSC does not support all of the options and diagnostic functions of the HSM. Please use the Smart Card Shell and the included Key Manager to get acquainted with the system. After that you could use OpenSC or the native module to interact with the HSM.

In this specific case my guess is, that the key does not have the WRAP attribute internally. This is different from the attributes shown at the PKCS#11 interface.

notthetup · July 4, 2025, 6:55am

Unfortunately, I need to do this backup programmatically. I believe Smart Card Shell is GUI only? Or?

sc-hsm · July 4, 2025, 6:58am

You can do that programmatically, but the Smart Card Shell will help you to understand what is happening on the device or what is may be missing.

The HSM has much more functions, that what is supported by OpenSC.

notthetup · July 4, 2025, 8:16am

I also tried to do this, but it doesn’t work.

pkcs11-tool --usage-wrap --keygen --key-type AES:32 --id 02

notthetup · July 4, 2025, 8:32am

All the documentation from Nitrokey about backing up keys uses sc-hsm-tool. Is there ANY documentation on how to do this using Smart Card Shell?

sc-hsm · July 4, 2025, 10:08am

Did a quick test myself. The issue is, that when you generate an AES key with pkcs11-tool and the native PKCS#11 library, then the key is not associated with a key domain. And so the key can not be wrapped using sc-hsm-tool.

If you generate the key using the Smart Card Shell, then wrapping and unwrapping with sc-hsm-tool from OpenSC works.

The native PKCS#11 module has some proprietary attributes, that OpenSC does not support. As far as I know, there is no mechanism in pkcs11-tool to define vendor specific attributes.

notthetup · July 5, 2025, 9:47am

Are there any documents on how to generate an AES256 key with Smart Card Shell? I couldn’t find much.

sc-hsm · July 5, 2025, 11:02pm

It’s pretty much self-explaining. You could read one of the HowTos that handle more complex topics like Public Key Authentication or XKEK Key Domains. That should give a glimpse on what you can do with the Key Manager in the Smart Card Shell.

notthetup · July 9, 2025, 4:01am

OK. Took me a while to get this to work, since there isn’t specific documentation about this. But for those who might face a similar issue I am documenting things here.

To run Smart Card Shell 3, and have your HSM enumerate in it, on top of the libpcsclite-dev (which is listed in the installation document), I also needed to install opensc (sudo apt install opensc).
You will need to run “Key Manager (Ctrl+M)” in Smart Card Shell 3 to see the content of your keys.
You can right-click on the various nodes of the tree structure in left pane, to do various actions. It’s important to understand that those actions are performed in the context of that node. For example, running a “Generate RSA Key” by right-clicking on the root (HSM) node, is different that running “Generate RSA Key” by right-clicking on the DKEK node.

To be able to generate and wrap an AES key, you’ll have do the usual process (that’s documented above or in one of the posts linked above) of

Initialize a key (either with pkcs11-tools or " Smart Card Shell 3") with at least 1 DKEK Share
Create a DKEK on disk and import onto the HSM

Then you have to create a new AES Key on the DKEK node. This is critical.

If you do this right, you’ll have an AES key that’s a child of the DKEK node like this

To wrap and export this, you can right click on the AES Key and use the “Wrap Key (and Certificate)” action. You’ll get a .wky file which is the wrapped AES key. This can then be imported (using the “Unwrap Key” action on the root node) back into another HSM (which has be setup with the same DKEK) for backup.

It seems that the pkcs11-tool --usage-wrap --keygen --key-type AES:32 seems to create the key under the root HSM node, which can’t be wrapped and thus give the above error.

It’s irritating that command line tools don’t work, but UI tools do. It’s always hard to build solutions around 3rd part UI tools. But at least it works.

Hopefully we’ll have a better mechanism to do this using CLIs soon.

sc-hsm · July 9, 2025, 9:59am

It’s actually the other way round: OpenSC is the 3rd party. The Smart Card Shell and Key Manager is the primary tool for the SmartCard-HSM applet, which is what is inside the Nitrokey HSM.

The primary toolset for the SmartCard-HSM is based on OpenSCDP and Java. PKCS#11 and CSP are just interface technologies to allow access key material on the device. They are not meant for more sophisticated key management operations.