top of page
  • Writer's pictureFrank Yoo

PKCS#11? - Test with SoftHSM

In many instances PKCS#11 is still the choice of security protocol with many organisations and I need a quick way to fire up a virtual machine to quickly test some of my C/C++ code work when it comes to "working remotely" and when your broadband connection fails (or a slow Monday morning).

So I've been looking around for that magical container image that I could easily deploy and use, and magically it appears to me (thanks Google!) that OpenDNSSec had a software implementation of a generic cryptographic device with PKCS#11 interface, SoftHSM ( The good news is that it is free of charge and it would also allow me to test certain C/C++ code to write something generic enough for my own study and testing.

So off I went and decided to give it a try!


I tested deploying SoftHSM on Ubuntu 16.04 LTS. YMMV, but I suggest sticking with some Ubuntu/Debian variant as I do not know of the exact packages required on any RHEL-based system (and I promise to update this post when I have the details).

If you're interested in getting a Dockerfile, you may build your own container using the source files that are available on my github repo - if there is enough demand, I might even host it on the docker hub.

Let's get the basics sorted:

# apt-get install build-essential opensc libssl-dev wget uuid-runtime

That should cover most of the basic packages required for your SoftHSM installation. Next is to download the actual package (I specifically used 2.5.0 and the link is available here):

# wget <link_to_softhsm_release>

Once you've downloaded the tarball, extract the tarball and compile as required:

# tar xvfz <downloaded_tarball>
# ./configure
# make
# make install

This should have installed the packages into /usr/local/lib/softhsm correctly. If you wanted to install it into a different location, a simple "./configure --prefix=<path_to_install>" would have worked in the previous step as well.

And now you're ready!

Let's initialise SoftHSM (remember you'll need to set both the SO and USER PIN):

# softhsm2-util --init-token --slot 0 --label "Test Token"
=== SO PIN (4-255 characters) ===
Please enter SO PIN: ****
Please reenter SO PIN: ****
=== User PIN (4-255 characters) ===
Please enter user PIN: ****
Please reenter user PIN: ****
The token has been initialized and is reassigned to slot 344882282

If you've follow the guide from the beginning, you'll also note that the pkcs11-tool is included in the opensc package. Let's make sure it shows correctly:

# pkcs11-tool --module /usr/local/lib/softhsm/ -L
Available slots:
Slot 0 (0x148e7c6a): SoftHSM slot ID 0x148e7c6a
  token label        : Test Token
  token manufacturer : SoftHSM project
  token model        : SoftHSM v2
  token flags        : rng, login required, PIN initialized, token initialized, other flags=0x20
  hardware version   : 2.5
  firmware version   : 2.5
  serial num         : 13199250148e7c6a

Once you have confirmed that the slot matches the slot reassigned to (Tip: 344882282 is 0x148e7c6a in hexadecimal value), you can now go and create a new key:

# pkcs11-tool --module /usr/local/lib/softhsm/ -l -p 1234 -k --id `uuidgen | tr -d -` --label "Test RSA Key" --key-type rsa:2048
Using slot 0 with a present token (0x148e7c6a)
Key pair generated:
Private Key Object; RSA
  label:      Test RSA Key
  ID:         171e8b3e4be84668bde3a9a70b8c625f
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
  label:      Test RSA Key
  ID:         171e8b3e4be84668bde3a9a70b8c625f
  Usage:      encrypt, verify, wrap

And that concludes how to setup SoftHSM. Let me know your thoughts!

1,878 views0 comments

Recent Posts

See All

Top 10 Reasons (Not) To Consider Ermetic

For many of us who embark on a new chapter, there comes a time where uncertainty quickly leads to anticipation, nervousness to excitement, and lack of knowledge to proficiency. Whilst excitement is an


bottom of page