Hey Libor,
Thanks for explaining and confirming that the KASP needs local storage!
But our use case is a bit more innovative:
If you want to migrate signing Knot from one
machine to another, you
shall transfer the configuration file, KASP DB and the private key
storage. It's not needed to call any "share" command afterwards.
We are not transferring the responsibility for signing. Instead, we
have two live signers running in parallel. I'll attach the
clarification why this should work, because I am aware that it is not
what people usually do. The reason is that the signers operate
completely independently, and therefore more stably.
For this scheme, we need to copy the KASP state for each zone to which
we generate a key. That's why I was trying to (ab)use "share" on
another machine, hoping it would dig up all the data in PKCS #11.
Hope this explanation helps :)
Yes, it confirms that the KASP is not completely stored in PKCS #11.
But I am left with the question how I can transfer KASP state for
individual zones between our signer machines. Can you help with that?
We will probably implement something like import-pkcs11 command to
keymgr.
But I cannot say when, because we have other feature requests on the
list.
Best,
Daniel