I need to import splits of a secret key into a HSM device. A Key Encryption Key (KEK) 3DES key has been split for transport and need to be recombined in the destination HSM.
How can this be done ? Are the splits actually being recombined in the HSM itself, or are they being recombined outside of the HSM and then the result is imported into the HSM ?
Thank you !
If all the key parts are available outside of the HSM then you'd normally just XOR the values together and set the key. You could use
CKM_XOR_BASE_AND_DATAor possibly a proprietary command as well.CKM_XOR_BASE_AND_DATAhowever requires at least one key to be already present. You could use to combine keys sequentially, of course, if you want the holder the different parts not to be able to view the other parts.Note that I assume here that the keys have been split using T = N key sharing using XOR. In principle any of the secret sharing could have been used.