Data protection

OpenSSL engine

2min

This document provides information about configuring

 HSMs with OpenSSL engine by using PKCS #11 libraries. For additional questions related to your HSM, see the relevant administrator guide.

Application description

From the main OpenSC - libp11 page on GitHub (https://github.com/OpenSC/libp11):

OpenSSL implements various cipher, digest, and signing features, and it can consume and produce keys. However, plenty of people think that these features should be implemented in separate hardware, like USB tokens, smart cards, or HSMs. Therefore, OpenSSL has an abstraction layer, engine, which can delegate some of these features to different software or hardware.

engine_pkcs11 tries to fit the PKCS#11 API within the engine API of OpenSSL. That is, it provides a gateway between PKCS#11 modules and the OpenSSL engine API. Register the engine with OpenSSL and provide the path the PKCS#11 module should gateway to. Do this by editing the OpenSSL configuration file, using engine-specific controls, or using the p11-kit proxy module.

Guardian integration