Home > |
---|
No. You can clone keys between HSMs that share a domain, but each HSM assigns its own object handles to incoming - or generated - objects.
Good PKCS#11 applications never make assumptions about the object handle number.
Typically, an application will find an object prior to use; for example, find by CKA_LABEL is the most common.
The label either is known to the user or is published somewhere application-specific; for example, Microsoft uses the certstore to store the label (a.k.a. container name).
Possible workarounds:
If your application already uses handles to access/identify keys, consider identifying keys by fingerprint (and possibly label) and devising your own mapping to the new handles for objects that you import (clone) into the HSM.
HOWEVER, that approach might not be feasible if you are not in a position to make API changes - such as, if you are using a third-party application, or if you are locked in by internal compliance/audit or by external compliance/audit. Then, perhaps you could consider using multiple HSMs in an HA group.
If you are accessing via an HA group, then the HA group has a single virtual handle for each object that your application would see, regardless of the "real" object handle on each HSM.