How To Install SoftHSM on an Ubuntu 16.04 Server

SoftHSM is basically an implementation of a cryptographic store accessible through a PKCS #11 interface. The PKCS#11 interface is used to communicate or access the cryptographic devices such as HSM (Hardware Security Modules) and smart cards. The primary purpose of HSM devices is to generate cryptographic keys and sign/encrypt information without revealing the private key to the others.

To make it more easy to understand, it was not possible for OpenDNSSEC users to buy new hardware token for the storage of cryptographic keys. So, to counter this issue, OpenDNSSEC started providing "SoftHSM", a software implementation of a generic cryptographic device with a PKCS#11 interface. SoftHSM is designed to meet the requirements of OpenDNSSEC and also work with other cryptographic products. 


Botan or OpenSSL cryptographic libraries can be used with the SoftHSM project.  If Botan is used with SoftHSM, then make sure that it has support for GNU MP (--with-gnump), something which will improve the performance during public key operations. 

Installing SoftHSM

SoftHSM is available from the OpenDNSSEC website, and it can be download using the wget command in the following way.

sudo apt-get install openssl-dev
sudo wget

When download complete, extract the package using the tar command:

sudo tar -xzf softhsm-2.3.0.tar.gz

Now, run the configure script to check dependencies of the SoftHSM software.

sudo ./configure

Run the make command to compile the source code of SoftHSM.

sudo make

Next, run "make install command" to install the SoftHSM tool.

sudo make install

Configure SoftHSM

The default location of the config file is /etc/softhsm2.conf which can be changed by setting the SOFTHSM2_CONF environment variable.

export SOFTHSM2_CONF=Path_of_SoftHSM_Conf_file

Initialize Soft Token

The very first step to use SoftHSM is to use initialize it. We can use the "softhsm2-util" or the "PKCS#11" interface to initialize the device. The following snapshot shows the initialization of the SoftHSM device.

sudo softhsm2-util --init-token --slot 0 --label "Token-1"

The Security Officer (SO) PIN is used to re-initialize the token and the user PIN is handed out to the application so it can interact with the token (like usage with Mozilla Firefox). That's why, set both SO and user PIN. Once a token has been initialized, more slots will be added automatically to a new uninitialized token. Initialized tokens will be reassigned to another slot based on the token serial number. It is recommended to find and interact with the token by searching for the token label or serial number in the slot list/token info.


All tokens and their objects are stored in the location given by softhsm2.conf. Backup can thus be done as a regular file copy.

SoftHSM with OpenSC Utilities

In this tutorial, PKCS11 utilities of the OpenSC project are used to access the SoftHSM device.

sudo apt-get install opensc
sudo pkcs11-tool --module /usr/local/lib/softhsm/ -l -t

The "-t" switch is used to test the mechanism of SoftHSM.

You are done.
Powered by Blogger.