I am building a solution to store keys and encrypt\decrypt data using an HSM. I am using a network HSM manufactured by Thales. The thing I have noticed is that a key generated in client machine 1 is inaccessible in client machine 2. The key can only be used to encrypt\decrypt data in client machine 1. Is there any thing that needs to be changed in my implementation or is there something to be changed in net-HSM configuration to enable this. I am using PKCS11Iterop library for all the key management operations.
I am using token based OCS protection.
I suppose your client machine 1 has a new file in kmdata/local directory associated to the new key generated. But your client machine 2 has not this file in his kmdata/local directory.
You have to find a way to share the kmdata/local directory, for instance, using NFS.
来源:https://stackoverflow.com/questions/45413752/keys-created-from-one-hsm-client-are-not-available-for-use-in-another-client