How to install and use SoftHSM on Ubuntu 16.04 LTS

Hardware/software tokens or Hardware Security Modules (HSM) are used with different applications to store cryptographic keys (public & private ) and certificates. For example, NitroKey and Smartcard-HSM are a couple of HSMs. However, there also exist some software alternatives like SoftHSM(v2), which, specifically, is being developed as a part of the OpenDNSSEC project..

SoftHSM is basically an implementation of a cryptographic store accessible through a PKCS #11 interface. The PKCS#11 interface is used to communicate or access the cryptographic devices such as HSM (Hardware Security Modules) and smart cards. The primary purpose of HSM devices is to generate cryptographic keys and sign/encrypt information without revealing the private key to the others.

To give you a quick background, it was not possible for OpenDNSSEC users to buy new hardware token for the storage of cryptographic keys. So, to counter this issue, OpenDNSSEC started providing "SoftHSM", a software implementation of a generic cryptographic device with a PKCS#11 interface. SoftHSM is designed to meet the requirements of OpenDNSSEC and also work with other cryptographic products. 


Botan or OpenSSL cryptographic libraries can be used with the SoftHSM project.  If Botan is used with SoftHSM, then make sure that it has support for GNU MP (--with-gnump), something which will improve the performance during public key operations. 


SoftHSM is available from the OpenDNSSEC website, and it can be download using the wget command in the following way.


Now, extract the package using the tar command in the following way.

After extraction, run the configure script to check dependencies of the SoftHSM software.


The following snapshot shows that the configure script shows an error due to missing "OpenSSL header" package.

So resolve this, install the "openssl-dev" package in the way highlighted as below.

apt-get install openssl-dev

The output of the configure script shows that all required packages are now available for the compilation of the tool.

The following snapshot shows the options available for the configure script of the SoftHSM tool.

All options offered by the configure script can be accessed through the following command:

./configure --help 
--disable-ecc		Disable support for ECC (default enabled)
--disable-gost		Disable support for GOST (default enabled)
--disable-visibility	Disable hidden visibilty link mode [enabled]
--with-crypto-backend	Select crypto backend (openssl|botan)
--with-openssl=PATH	Specify prefix of path of OpenSSL
--with-botan=PATH	Specify prefix of path of Botan
--with-migrate		Build the migration tool. Used when migrating
			a SoftHSM v1 token database. Requires SQLite3
			Build with database object store (SQLite3)
--with-sqlite3=PATH	Specify prefix of path of SQLite3
--disable-p11-kit	Disable p11-kit integration (default enabled)
--with-p11-kit=PATH	Specify install path of the p11-kit module, will
			override path given by pkg-config

Now, run the make command to compile the source code of SoftHSM.


Next, run "make install command" to install the SoftHSM tool.

make install

Configuration file

The default location of the config file is /etc/softhsm2.conf which can be changed by setting the SOFTHSM2_CONF environment variable.

export SOFTHSM2_CONF=Path_of_SoftHSM_Conf_file

The default setting of SoftHSM is shown in the following snapshot.

Initialize Soft Token

The very first step to use SoftHSM is to use initialize it. We can use the "softhsm2-util" or the "PKCS#11" interface to initialize the device. The following snapshot shows the initialization of the SoftHSM device.

 softhsm2-util --init-token --slot 0 --label "Token-1" 

The Security Officer (SO) PIN is used to re-initialize the token and the user PIN is handed out to the application so it can interact with the token (like usage with Mozilla Firefox). That's why, set both SO and user PIN. Once a token has been initialized, more slots will be added automatically to a new uninitialized token. Initialized tokens will be reassigned to another slot based on the token serial number. It is recommended to find and interact with the token by searching for the token label or serial number in the slot list/token info.

Other options of the "softhsm2-util" are shown below. 

The following snapshot shows the slots of the token.


All tokens and their objects are stored in the location given by softhsm2.conf. Backup can thus be done as a regular file copy.

SoftHSM with OpenSC Utilities                                                                                                           

In this tutorial, PKCS11 utilities of the OpenSC project are used to access the SoftHSM device. Details about the installation and usage of "OpenSC" is available on howtoforge site.

apt-get install opensc


The following snapshot shows that PKCS#11 command is run on the SoftHSM. The "-t" switch is used to test the mechanism of SoftHSM.

pkcs11-tool --module /usr/local/lib/softhsm/ -l -t


In this article, we discussed how the software-based HSM tool SoftHSM can be installed and initialized on the Ubuntu platform. It can be configured using PKCS11 standard for the HSM/Smartcard to access the devices.

Share this page:

0 Comment(s)

Add comment

Please register in our forum first to comment.