SoftHSM is an implementation of a cryptographic store accessible through a PKCS#11 interface. You can use SoftHSM as an HSM for OpenDNSSEC.
- Can be download on https://www.opendnssec.org/download/
SoftHSM depends on a cryptographic library, Botan or OpenSSL. Minimum required versions:
- Botan 1.10.0
- OpenSSL 1.0.0
If you are using Botan, make sure that it has support for GNU MP (--with-gnump). This will improve the performance when doing public key operations.
There is a migration tool for converting token databases from SoftHSMv1 into the new type of tokens. If this tool is built, then SQLite3 is required (>= 3.4.2).
Building from the repository
If the code is downloaded directly from the code repository, you have to prepare the configuration scripts.
- You need to install automake, autoconf, libtool, etc.
- Run the command 'sh autogen.sh'
- Continue with the instructions below.
Configure the installation/compilation scripts.
For more options:
Compile the source code using the following command:
Install the library using the follow command:
Location of the configuration file.
The default location of the config file is /etc/softhsm2.conf. This location can be change by setting the environment variable.
Details on the configuration can be found in "man softhsm2.conf".
Initialize your tokens.
Use either softhsm-util or the PKCS#11 interface. The SO PIN can e.g. be used to re-initialize the token and the user PIN is handed out to the application so it can interact with the token.
Type in SO PIN and user PIN.
Once a token has been initialized, more slots will be added automatically with a new uninitialized token.
- Link to this library and use the PKCS#11 interface
All of the tokens and their objects are stored in the location given by softhsm2.conf. Backup can thus be done as a regular file copy.