It's both. Most of those vendors have ways to backup those keys securely to same vendor backup product. But they won't let you export them via a wrap or whatever.
It functions both as a security feature and a vendor lock in.
It's absolutely vendor lock-in, first and foremost. It happens to align with security.
I did a project 10 years ago to sign firmware for embedded devices w/ a planned 25 year product life. I spoke with two different HSM vendors. Both said the Customer would be able to backup and transfer keys from one HSM to another. Both also said that was applicable within their products only. There was no mechanism to switch to another HSM vendor (and neither offered a contingency to get the keys out if the vendor ceased business operations).
> In April 2023, IANA became aware of the decision by the manufacturer of the Keyper PLUS
HSM – the equipment used to store private key materials for the Root Zone KSK – to cease its
production of the device. Furthermore, the manufacturer will offer no successor product.
That's ridiculous.
There should be a standards-based protocol to transfer key material between HSMs. It should be tied to physical access using physical tokens. Make the protocol baroque and difficult. Heck, even make it a requirement the source HSM has to to be physically destroyed to complete the process (to prevent "cloning" attacks).
For USB authentication keys this level of cloak-and-dagger LARPing is stupid. There should be a method to export and encrypted copy of the contents of my USB token and, worst case, import it into another token manufactured by the same provider. ("But cloning!" Fine-- tie it to registering the token with the manufacturer along with real-world identity verification. Make it a premium service with an associated cost, if that's what it takes.)
Does this mean that any HSM where inability to export the private key is a feature is also doing it for "vendor lockin" reasons?