Generic PKCS#11 HSM Provider

PrivX can be configured at install time to use a generic PKCS#11 HSM. You can use this for testing PrivX with HSMs that are not explicitly supported.

SSH does not provide support for the generic PKCS#11 HSM configuration option. Using it in production deployments is not recommended.

The following configuration options are prompted when configuring PrivX to use the generic-pkcs11 provider:

  • PKCS#11 provider library path
  • Slot
  • Pin
  • Optional feature flags:
    • aes-gcm-zero-iv: Supply all-zeros IV for AES-GCM encrypt and let HSM generate the IV
    • aes-gcm-luna-random-iv: Supply zero length IV for AES-GCM encrypt and let HSM generate the IV (used with Safenet Luna)
    • aes-gcm-padding: Pad input to AES-GCM encrypt using the PKCS#7 padding method
    • sym-key-size-in-bits: HSM reports symmetric key size in bits
    • fips-mode: Disable functionality that is not supported when HSM is in FIPS mode
    • serialize-ops: Serialize all PKCS#11 provider library calls
    • disable-object-cache: Disable internal object handle caching
    • vormetric-mode: Enable Thales Vormetric DSM specific functionality
    • ncipher-mode: Enable nCipher HSM specific functionality
  • Keyvault symmetric-encryption algorithm:
    • AES128withGCM: AES-GCM with 128 bit key size
    • AES256withGCM: AES-GCM with 256 bit key size
    • AES128withGCMPkcs7Pad: AES-GCM with 128 bit key size using PKCS#7 padding for plaintext
    • AES256withGCMPkcs7Pad: AES-GCM with 256 bit key size using PKCS#7 padding for plaintext

Was this page helpful?