Appendices¶
Compatible PKCS #11 Devices¶
This section has informative character. Knot DNS has been tested with several devices which claim to support PKCS #11 interface. The following table indicates which algorithms and operations have been observed to work. Please notice minimal GnuTLS library version required for particular algorithm support. Factors like firmware and Cryptoki module version might affect the outcome.
| Generate | Import | EDDSA | ECDSA | RSA | Tested | |
|---|---|---|---|---|---|---|
| Utimaco SecurityServer (V4) [1] | yes | yes | n/a | 256
384
|
1024
2048
4096
|
2018-09 |
| Trustway Proteccio NetHSM | yes | ECDSA only | n/a | 256
384
|
1024
2048
4096
|
2019-03 |
| Ultra Electronics CIS Keyper Plus (Model 9860-2) | yes | RSA only | n/a | 256
384
|
1024
2048
4096
|
2020-01 |
| SoftHSM 2.0 [2] | yes | yes | ed25519
ed448
|
256
384
|
1024
2048
4096
|
2025-12 |
| Luna Cloud HSM (non-FIPS) | yes | n/a | n/a | 256
384
|
1024
2048
4096
|
2025-11 |
| Luna Network HSM (non-FIPS) | yes | n/a | ed448
|
256
384
|
1024
2048
4096
|
2025-12 |
| Securosys Primus HSM and CloudHSM (non-FIPS) | yes | yes | ed25519
ed448
|
256
384
|
1024
2048
4096
|
2025-12 |
| [1] | Requires setting the number of background workers to 1! |
| [2] | Algorithms supported depend on support in OpenSSL on which SoftHSM relies.
A command similar to the following may be used to verify what algorithms are supported:
$ pkcs11-tool --module /usr/lib64/pkcs11/libsofthsm2.so -M. |
