PKCS11 Software token for symmetric keys

[Rick van Rein]

Hello Hrithik,

>  1.  Do you know if softVMS is considered production ready/hardened - some of the literature made me think it was intended to be a software stopgap before an actual HSM was put into place.

Yes, it is production ready.

However, in general, a software HSM is always a stopgap measure.  The big idea of PKCS #11 is to have an API behind which secret/private keys are protected from sharing.  This basically depends on having a hardware device that can control such access without interference from the operating system.  Any software HSM (the H meaning hardware...) conflicts with that idea.

There are situations where this is still meaningful, but it really depends on your use case.  And compared to an actual Hardware Security Module it will always be a stopgap measure — one that you explicitly asked for.

The protection of stored secrets in SoftHSMv2 is based on encryption with the User PIN.  Since a weak PIN to use an HSM is a bad idea if ever I saw one, this is a reasonable approach, and perhaps the best you could have with a software PKCS #11 implementation.

>  2.  The environment I'm working in is IBM PASE (Under IBM i) - any idea if this has already been ported there?

No idea.  But since it is open source, why don't you have a go?  The more compliant the platform is to POSIX interfaces, the fewer problems you should have.  If it works, you may want to report back to the project, with or without patches that make it work for you, so it would then be ported and/or listed as working/portable.  They'll like that and you'll have donated back for a great gift.

I would also like to hear (on this list) if it worked for you.


Another option you might consider is the Mozilla PKCS #11 implementation, which is used in Firefox and Thunderbird.  It is likely to be much more entwined with other components, while SoftHSMv2 is a stand-alone package.


Good luck,
   -Rick