As softhsm2-util is not very well documented I decided to support the cryptographic community by offering working usage examples of the main tool of SoftHSM2. This post will show how to initialize a SoftHSM slot and to view your SoftHSM slots. This working examples are based on version 2.6.1 and can be downloaded from OpenDNSSEC website.
After installation of SoftHSM2 you can check your slot configuration with option –show-slots
$ softhsm2-util --show-slots
Available slots: Slot 0 Slot info: Description: SoftHSM slot ID 0x0 Manufacturer ID: SoftHSM project Hardware version: 2.6 Firmware version: 2.6 Token present: yes Token info: Manufacturer ID: SoftHSM project Model: SoftHSM v2 Hardware version: 2.6 Firmware version: 2.6 Serial number: Initialized: no User PIN init.: no Label:
You always will see at least one present token with is not initialized. After installation this will be “Slot 0”. You can not use this slot unless you initialize it:
$ softhsm2-util --init-token --slot 0 --label "label1" --pin 1234 --so-pin 1234 The token has been initialized and is reassigned to slot 1574641475
Now you can see the newly initialized slot “Slot 1574641475” and a new slot “Slot 1” which is prepared to be initialized whenever you need another slot:
$ softhsm2-util --show-slots Available slots: Slot 1574641475 Slot info: Description: SoftHSM slot ID 0x5ddb1f43 Manufacturer ID: SoftHSM project Hardware version: 2.6 Firmware version: 2.6 Token present: yes Token info: Manufacturer ID: SoftHSM project Model: SoftHSM v2 Hardware version: 2.6 Firmware version: 2.6 Serial number: 3963656edddb1f43 Initialized: yes User PIN init.: yes Label: label1 Slot 1 Slot info: Description: SoftHSM slot ID 0x1 Manufacturer ID: SoftHSM project Hardware version: 2.6 Firmware version: 2.6 Token present: yes Token info: Manufacturer ID: SoftHSM project Model: SoftHSM v2 Hardware version: 2.6 Firmware version: 2.6 Serial number: Initialized: no User PIN init.: no Label:
Better to use –free instead of “–slot 0” to use the first free/uninitialized token.
Now you have a slot identifyable by slot number “1574641475” which does not hold any key yet. You can import an cryptographic key using softhsm2-util with option –import or use any other PKCS#11 compatible tool like pkcs11-tool or openssl to generate symmetric or asymmetric keys.
I will show some examples how to create AES, RSA and ECC keys in other related posts,
Related Posts
- How to sign data with OpenSSL on an HSM
- First Steps with OpenSSL for signature and encryption
- Full working ECDSA signature with OpenSSL
- SoftHSM2: What crypto mechanisms and ciphers are supported?
- Simple start with Yubico PKCS#11 library
- Export a RSA / ECC public key with OpenSC pkcs11-tool
- SoftHSM2 view slot info and objects on a specific slot
- Generate RSA, ECC and AES keys with OpenSC pkcs11-tool
- Show slot and token info with OpenSC pkcs11-tool
- SoftHSM2 first steps to create slots
- Configuration of OpenSC pkcs11-tool
- S/MIME Zertifikat per OpenSSL erstellen
- EFS Schlüssel per OpenSSL erstellen