OpenSC pkcs11-tool PKCS#11

Configuration of OpenSC pkcs11-tool

Configuration example for: pkcs11-tool is a command line tool to test functions and perform operations of a PKCS#11 library in Linux. It always requires a local available working P11 module (.so in Linux or .DLL in Windows) and allows various cryptographic action. pkcs11tool is part of the OpenSC package.

PKCS#11 is a standard interface to create symmetric and asymmetric keys and perform cryptographic operations. It is mainly used to access smart card type of key media or Hardware Security Modules (HSM). Today the interface is implemented in many different applications to use hardware cryptography. PKCS#11 based on the PKCS#11 (Cryptoki) specifications. The complete specifications are available at

This post is part of #CryptoCorner my contribution to open source cryptography and secure hardware key storage to reduce risks from misunderstood and unsecure implemented key management.

Usage and configuration of a PKCS#11 module

You can either specify the PKCS#11 module with the parameter –module e.g.

$ pkcs11-tool --module=/usr/lib/x86_64-linux-gnu/ 

or you can define the default PKCS#11 module in the pkcs11-tool configuration file /etc/pkcs11/modules/.module

Uncommend whatever PKCS#11 library you are working with.

$ more /etc/pkcs/modules/.module
#module: /usr/local/lib/softhsm/
#module: /usr/local/lib/
module: /usr/lib/x86_64-linux-gnu/

What are these libraries? – The PKCS#11 library of SoftHSM2 a popular software defined key store. – The Yubico PKCS#11 library for all YubiKey token with smart card PIV functionallity. Install and compile Yubico yubico-piv-tool. – The popular OpenSC PKCS#11 library supporting many smart cards and PKI token. Install or compile opensc to use this software interface.

Related Posts

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.