Skip to main content
Version: v43

Generic PKCS#11 HSM Provider

PrivX can be configured at install time to use a generic PKCS#11 HSM. You can use this for testing PrivX with HSMs that are not explicitly supported.

info

SSH does not provide support for the generic PKCS#11 HSM configuration option. Using it in production deployments is not recommended.

The following configuration options are prompted when configuring PrivX to use the generic-pkcs11 provider:

  • PKCS#11 provider library path
  • Slot
  • Pin
  • Optional feature flags:
    • ecdsa-enabled: Enable ECDSA support
    • aes-gcm-zero-iv: Supply all-zeros IV for AES-GCM encrypt and let HSM generate the IV
    • aes-gcm-luna-random-iv: Supply zero length IV for AES-GCM encrypt and let HSM generate the IV (used with Thales Luna)
    • aes-gcm-padding: Pad input to AES-GCM encrypt using the PKCS#7 padding method
    • sym-key-size-in-bits: HSM reports symmetric key size in bits
    • fips-mode: Disable functionality that is not supported when HSM is in FIPS mode
    • serialize-ops: Serialize all PKCS#11 provider library calls
    • disable-object-cache: Disable internal object handle caching
    • vormetric-mode: Enable Thales Vormetric DSM specific functionality
    • ncipher-mode: Enable nShield HSM specific functionality
    • sym-key-size-in-bits: Symmetric key sizes reported in bits instead of bytes
    • ignore-key-size: Omit supported key size check
    • key-id-in-label: Store key ID in CKA_LABEL instead of CKA_ID
    • aes-gcm-tag-prefix: Prepends the AEAD tag before the ciphertext when using AES/GCM decryption
    • private-key-specify-modulus-bits: Specify modulus size in private key template
    • private-key-id-label: Specify key ID label in private key template
    • skip-pub-key-deletion: Skip deleting public key when deleting keypair
    • exact-key-search-only: Only use search by exact key ID
    • explicit-no-export: Explicitly define CKA_EXTRACTABLE=false when creating non-exportable keys
    • ec-curve-oid-as-hex: Encode the elliptic curve OID as ASCII hex string
  • Keyvault symmetric-encryption algorithm:
    • AES128withGCM: AES-GCM with 128 bit key size
    • AES256withGCM: AES-GCM with 256 bit key size
    • AES128withGCMPkcs7Pad: AES-GCM with 128 bit key size using PKCS#7 padding for plaintext
    • AES256withGCMPkcs7Pad: AES-GCM with 256 bit key size using PKCS#7 padding for plaintext