SoftHSM is basically an implementation of a cryptographic store accessible through a PKCS #11 interface. The PKCS#11 interface is used to communicate or access the cryptographic devices such as HSM (Hardware Security Modules) and smart cards. The primary purpose of HSM devices is to generate cryptographic keys and sign/encrypt information without revealing the private key to the others.
To make it more easy to understand, it was not possible for OpenDNSSEC users to buy new hardware token for the storage of cryptographic keys. So, to counter this issue, OpenDNSSEC started providing "SoftHSM", a software implementation of a generic cryptographic device with a PKCS#11 interface. SoftHSM is designed to meet the requirements of OpenDNSSEC and also work with other cryptographic products.
Dependencies
Botan or OpenSSL cryptographic libraries can be used with the SoftHSM project. If Botan is used with SoftHSM, then make sure that it has support for GNU MP (--with-gnump), something which will improve the performance during public key operations.
Installing SoftHSM
SoftHSM is available from the OpenDNSSEC website, and it can be download using the wget command in the following way.sudo apt-get install openssl-dev
sudo wget https://dist.opendnssec.org/source/softhsm-2.3.0.tar.gz
When download complete, extract the package using the tar command:
sudo tar -xzf softhsm-2.3.0.tar.gz
Now, run the configure script to check dependencies of the SoftHSM software.
sudo ./configure
Run the make command to compile the source code of SoftHSM.
sudo make
Next, run "make install command" to install the SoftHSM tool.
sudo make install
Configure SoftHSM
The default location of the config file is /etc/softhsm2.conf which can be changed by setting the SOFTHSM2_CONF environment variable.export SOFTHSM2_CONF=Path_of_SoftHSM_Conf_file
Initialize Soft Token
The very first step to use SoftHSM is to use initialize it. We can use the "softhsm2-util" or the "PKCS#11" interface to initialize the device. The following snapshot shows the initialization of the SoftHSM device.sudo softhsm2-util --init-token --slot 0 --label "Token-1"
The Security Officer (SO) PIN is used to re-initialize the token and the user PIN is handed out to the application so it can interact with the token (like usage with Mozilla Firefox). That's why, set both SO and user PIN. Once a token has been initialized, more slots will be added automatically to a new uninitialized token. Initialized tokens will be reassigned to another slot based on the token serial number. It is recommended to find and interact with the token by searching for the token label or serial number in the slot list/token info.
Backup
All tokens and their objects are stored in the location given by softhsm2.conf. Backup can thus be done as a regular file copy.SoftHSM with OpenSC Utilities
In this tutorial, PKCS11 utilities of the OpenSC project are used to access the SoftHSM device.sudo apt-get install opensc
sudo pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -l -t
The "-t" switch is used to test the mechanism of SoftHSM.
You are done.