Thank you for your answer. My question was mostly about using a key for encrypting something on one host/board and decrypting it on another, which has that key as a black key.
Some experiments showed it's possible. I just put some notes here. It could be helpful in the future.
Preparing key & encrypted partition on a host
#!/bin/bash
LOOPDEV=/dev/loop0
DMPART=/dev/mapper/encrypted-tmp
KEY="782DBC901C72F00E8E7A318EC98CF49BB564D5D3723CC0600FDE547DF0E43E4A"
MNTDIR=/tmp/mnt
# Create raw file
dd if=/dev/zero of=./data.img bs=1M count=16
# Mount the raw file and create FS on it
sudo losetup $LOOPDEV ./data.img
sudo dmsetup -v create encrypted-tmp --table "0 16384 crypt capi:ecb(aes) $KEY 0 $LOOPDEV 0 1 sector_size:512"
sudo mkfs.ext4 $DMPART
sync
mkdir -p $MNTDIR
sudo mount $DMPART $MNTDIR
# Mark
sudo touch $MNTDIR/crypto-shripto
# Sync & unmount
sync
sudo umount $DMPART
sudo dmsetup remove encrypted-tmp
sudo losetup -d $LOOPDEV
# Export key in caam-keygen format
echo $KEY | xxd -r -p > caam.key.txt
# data.img & caam.key.txt are ready for export on a board
Creating BB key from the key & mounting encrypted partition on a device
#!/bin/bash
# it's differs from default caam-keygen
KEYSTORAGE=/run/caam/keys/
LOOPDEV=/dev/loop5
MNTDIR=/tmp/mnt/
DMDEV=/dev/mapper/encrypted
KEYNAME=mountkey
# create black key
caam-keygen create $KEYNAME ecb -t $(cat caam.key.txt)
# import black key to keyctl
cat $KEYSTORAGE/$KEYNAME | keyctl padd logon $KEYNAME: @s
mkdir -p /tmp/mnt
losetup $LOOPDEV data.img
dmsetup -v create encrypted --table "0 $(blockdev --getsz $LOOPDEV) crypt capi:tk(ecb(aes)) :52:logon:$KEYNAME: 0 $LOOPDEV 0 1 sector_size:512"
mount $DMDEV $MNTDIR
ls -l $MNTDIR
