Follow the instructions on End-to-End Encryption of passwords for the basic configuration of password end-to-end Encryption.
Instead of using a Java Keystore, use the HSM Keystore plugin.
Private Keys are not correctly read by the SunPKCS11 security provider. Only private keys with associated certificate chains are read (see also the official documentation, Appendix B, "Read Only Access").
A workaround is to either generate a certificate for the given key or generate a certificate with the private key instead of using a private key.