This list gives some of the arguments why or why not you should use SoftHSM in your environment compared with regular HSM:s.
- No need for extra hardware devices.
- Can be used in an evaluation setup for OpenDNSSEC before the user might decide to invest in a real HSM.
- Open source code under BSD-license.
- The database, with information like the private key material, is stored on the hard disk drive. Sensible information could leek to third parties if they get access to this file.
- The SoftHSM library reads the private key material into the memory to be able to perform cryptographic operations. The program that links with this library may thus get access to this sensitive information.
- Resides on the same computer as the DNSSEC Signer, thus sharing the same computing resources.