Managing and distributing cryptographic keys is a complex task. You need to make sure that no unauthorized copies are created and key material remains confidential along the way.
The SmartCard-HSM supports mobility of keys using Key Domains. Like a fence keeps your cattle on the pasture, does a Key Domain keep your keys in authorized SmartCard-HSMs.
SmartCard-HSMs that are part of a Key Domain use a Key Encryption Key (KEK) to wrap key material for export. Obviously sender and receiver need the same Key Encryption Key to that importing and unwrapping a key result in the same key value. This looks like a hen-and-egg problem: How do you distribute the KEK ?
The SmartCard-HSM supports two ways to establish a shared KEK: Using key custodians with some organizational overhead to distribute the KEK as key shares (DKEK) and using a dynamic authenticated peer-to-peer key agreement (XKEK).
The former is well known for quite a while as the basis for key backups. The later is a little more complex to establish, but then allows a very efficient key distribution.
Imaging you use a group key, e.g. for signing firmware updates or for decrypting e-mails send to a group address. You want to protect the key using a SmartCard-HSM. As your developers work at home, you have the challenge to create and distribute key material.
Or imagine you use a certificate for encrypted e-mails. The private key is on a SmartCard-HSM, so you can only decrypt messages with the token. If you lose you token, you can no longer decrypt your messages. Obviously you need some kind of key backup, so you can restore the key on a new device.
This is where XKEK Key Domains play at its best. With a XKEK Key Domain you simply define which SmartCard-HSMs form a group and can exchange key material. There no need to establish shared secrets using DKEK key shares, SmartCard-HSMs can do that on their own.
The PKI-as-a-Service Portal supports that with the new Key Escrow service. It allows you to define groups of SmartCard-HSMs, roll-out Key Domains and keep encrypted key material in a database. You can send key material, meta-data and certificates to Key Escrow and receive whatever needs to be shared.