diff --git a/sw/host/hsmtool/src/commands/aes/export.rs b/sw/host/hsmtool/src/commands/aes/export.rs
index e7fde602be3ee..4465176c446e6 100644
--- a/sw/host/hsmtool/src/commands/aes/export.rs
+++ b/sw/host/hsmtool/src/commands/aes/export.rs
@@ -2,7 +2,7 @@
 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
 // SPDX-License-Identifier: Apache-2.0
 
-use anyhow::Result;
+use anyhow::{Result, anyhow};
 use cryptoki::session::Session;
 use serde::{Deserialize, Serialize};
 use std::any::Any;
@@ -25,7 +25,7 @@ pub struct Export {
     #[arg(long)]
     wrap: Option<String>,
     #[arg(long, default_value = "rsa-pkcs")]
-    wrap_mechanism: Wrap,
+    wrap_mechanism: Option<Wrap>,
     #[arg(short, long)]
     output: Option<PathBuf>,
 }
@@ -44,7 +44,14 @@ impl Dispatch for Export {
 
         let secret = Secret::Aes;
         let key = if self.wrap.is_some() {
-            secret.wrap_key(session, object, self.wrap.as_deref(), &self.wrap_mechanism)?
+            secret.wrap_key(
+                session,
+                object,
+                self.wrap.as_deref(),
+                self.wrap_mechanism
+                    .as_ref()
+                    .ok_or(anyhow!("wrap_mechanism is required when wrap is specified"))?,
+            )?
         } else {
             secret.export(session, object)?
         };
diff --git a/sw/host/hsmtool/src/commands/aes/import.rs b/sw/host/hsmtool/src/commands/aes/import.rs
index 66b5c12586787..6bf12edfdfcaa 100644
--- a/sw/host/hsmtool/src/commands/aes/import.rs
+++ b/sw/host/hsmtool/src/commands/aes/import.rs
@@ -2,7 +2,7 @@
 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
 // SPDX-License-Identifier: Apache-2.0
 
-use anyhow::Result;
+use anyhow::{Context, Result};
 use cryptoki::session::Session;
 use serde::{Deserialize, Serialize};
 use std::any::Any;
@@ -28,7 +28,7 @@ pub struct Import {
     #[arg(long)]
     unwrap: Option<String>,
     #[arg(long, default_value = "rsa-pkcs")]
-    unwrap_mechanism: Wrap,
+    unwrap_mechanism: Option<Wrap>,
     filename: PathBuf,
 }
 
@@ -61,7 +61,9 @@ impl Dispatch for Import {
                 key,
                 self.template.clone(),
                 self.unwrap.as_deref(),
-                &self.unwrap_mechanism,
+                self.unwrap_mechanism
+                    .as_ref()
+                    .context("unwrap_mechanism is required when unwrap is specified")?,
             )?;
         } else {
             let _object = secret.import(
diff --git a/sw/host/hsmtool/src/commands/kdf/export.rs b/sw/host/hsmtool/src/commands/kdf/export.rs
index 2e57d504d3870..dfc0a6b221643 100644
--- a/sw/host/hsmtool/src/commands/kdf/export.rs
+++ b/sw/host/hsmtool/src/commands/kdf/export.rs
@@ -6,7 +6,7 @@ use std::any::Any;
 use std::fs;
 use std::path::PathBuf;
 
-use anyhow::Result;
+use anyhow::{Result, anyhow};
 use cryptoki::session::Session;
 use serde::{Deserialize, Serialize};
 
@@ -27,7 +27,7 @@ pub struct Export {
     #[arg(long)]
     wrap: Option<String>,
     #[arg(long, default_value = "rsa-pkcs")]
-    wrap_mechanism: Wrap,
+    wrap_mechanism: Option<Wrap>,
     #[arg(short, long)]
     output: Option<PathBuf>,
 }
@@ -46,7 +46,14 @@ impl Dispatch for Export {
 
         let secret = Secret::GenericSecret;
         let key = if self.wrap.is_some() {
-            secret.wrap_key(session, object, self.wrap.as_deref(), &self.wrap_mechanism)?
+            secret.wrap_key(
+                session,
+                object,
+                self.wrap.as_deref(),
+                self.wrap_mechanism
+                    .as_ref()
+                    .ok_or(anyhow!("wrap_mechanism is required when wrap is specified"))?,
+            )?
         } else {
             secret.export(session, object)?
         };
diff --git a/sw/host/hsmtool/src/commands/kdf/import.rs b/sw/host/hsmtool/src/commands/kdf/import.rs
index 1b559dfc7d782..bf05a8da2072f 100644
--- a/sw/host/hsmtool/src/commands/kdf/import.rs
+++ b/sw/host/hsmtool/src/commands/kdf/import.rs
@@ -6,7 +6,7 @@ use std::any::Any;
 use std::fs;
 use std::path::PathBuf;
 
-use anyhow::Result;
+use anyhow::{Result, anyhow};
 use cryptoki::session::Session;
 use serde::{Deserialize, Serialize};
 
@@ -30,7 +30,7 @@ pub struct Import {
     #[arg(long)]
     unwrap: Option<String>,
     #[arg(long, default_value = "rsa-pkcs")]
-    unwrap_mechanism: Wrap,
+    unwrap_mechanism: Option<Wrap>,
     filename: PathBuf,
 }
 
@@ -63,7 +63,9 @@ impl Dispatch for Import {
                 key,
                 self.template.clone(),
                 self.unwrap.as_deref(),
-                &self.unwrap_mechanism,
+                self.unwrap_mechanism.as_ref().ok_or(anyhow!(
+                    "unwrap_mechanism is required when unwrap is specified"
+                ))?,
             )?;
         } else {
             let _object = secret.import(