Skip to content

HSM

Hardware Security Modules

Source

Nitro Key Setup

Install Packages:

pacman -Sy ccid opensc pcsc-tools

Start services:

systemctl enable pcscd
systemctl start pcscd

Initialize device

Create Device Key Encryption Key for device:

sc-hsm-tool --create-dkek-share dkek-share-1.pbe
[...]
DKEK share created and saved to dkek-share-1.pbe

Initialize HSM:

sc-hsm-tool --initialize --so-pin 55555555555555555 --pin 111111 --dkek-shares 1

Import DKEK to HSM:

>>> sc-hsm-tool --import-dkek-share dkek-share-1.pbe 
Using reader with a card: Nitrokey Nitrokey HSM (DENK01019190000         ) 00 00
Enter password to decrypt DKEK share : 

Deciphering DKEK share, please wait...
DKEK share imported
DKEK shares          : 1
DKEK key check value : 72B07918E5C4F686

Change the SO-Pin:

pkcs11-tool --login --login-type so --so-pin 55555555555555555 --change-pin --new-pin [NEW_PIN]

Change the Key Pin:

pkcs11-tool --login --pin 111111 --change-pin --new-pin

Create Keys

Find out what keys can be created:

pkcs11-tool -M
Using slot 0 with a present token (0x0)
Supported mechanisms:
  SHA-1, digest
  SHA224, digest
  SHA256, digest
  SHA384, digest
  SHA512, digest
  MD5, digest
  RIPEMD160, digest
  GOSTR3411, digest
  ECDSA, keySize={192,521}, hw, sign, verify, EC F_P, EC parameters, EC OID, EC uncompressed
  ECDSA-SHA384, keySize={192,521}, sign, verify
  ECDSA-SHA512, keySize={192,521}, sign, verify
  ECDSA-SHA1, keySize={192,521}, hw, sign, verify, EC F_P, EC parameters, EC OID, EC uncompressed
  ECDSA-SHA224, keySize={192,521}, hw, sign, verify, EC F_P, EC parameters, EC OID, EC uncompressed
  ECDSA-SHA256, keySize={192,521}, hw, sign, verify, EC F_P, EC parameters, EC OID, EC uncompressed
  ECDH1-COFACTOR-DERIVE, keySize={192,521}, hw, derive, EC F_P, EC parameters, EC OID, EC uncompressed
  ECDH1-DERIVE, keySize={192,521}, hw, derive, EC F_P, EC parameters, EC OID, EC uncompressed
  ECDSA-KEY-PAIR-GEN, keySize={192,521}, hw, generate_key_pair, EC F_P, EC parameters, EC OID, EC uncompressed
  RSA-X-509, keySize={1024,4096}, hw, decrypt, sign, verify
  RSA-PKCS, keySize={1024,4096}, hw, decrypt, sign, verify
  SHA1-RSA-PKCS, keySize={1024,4096}, sign, verify
  SHA224-RSA-PKCS, keySize={1024,4096}, sign, verify
  SHA256-RSA-PKCS, keySize={1024,4096}, sign, verify
  SHA384-RSA-PKCS, keySize={1024,4096}, sign, verify
  SHA512-RSA-PKCS, keySize={1024,4096}, sign, verify
  MD5-RSA-PKCS, keySize={1024,4096}, sign, verify
  RIPEMD160-RSA-PKCS, keySize={1024,4096}, sign, verify
  RSA-PKCS-PSS, keySize={1024,4096}, hw, sign, verify
  SHA1-RSA-PKCS-PSS, keySize={1024,4096}, sign, verify
  SHA224-RSA-PKCS-PSS, keySize={1024,4096}, sign, verify
  SHA256-RSA-PKCS-PSS, keySize={1024,4096}, sign, verify
  SHA384-RSA-PKCS-PSS, keySize={1024,4096}, sign, verify
  SHA512-RSA-PKCS-PSS, keySize={1024,4096}, sign, verify
  RSA-PKCS-KEY-PAIR-GEN, keySize={1024,4096}, generate_key_pair

Create RSA Key:

pkcs11-tool --login --pin 111111 --keypairgen --key-type rsa:2048 --id 10 --label "GeneralZer0 GPG Key"
pkcs11-tool --login --pin 111111 --keypairgen --key-type rsa:4096 --id 11 --label "GeneralZer0 GPG Key"

Create ECDSAKey:

pkcs11-tool --login --pin 111111 --keypairgen --key-type EC:prime256v1 --id 20 --label "GeneralZer0 SSH Key"
pkcs11-tool --login --pin 111111 --keypairgen --key-type EC:prime192v1 --id 21 --label "GeneralZer0 SSH Key"
pkcs11-tool --login --pin 111111 --keypairgen --key-type EC:brainpoolP192r1 --id 22 --label "GeneralZer0 SSH Key"

Usage

Generate Random:

>>> pkcs11-tool --generate-random 15 | base64 
Using slot 0 with a present token (0x0)
oM6c34bXTLBc20mhkzki

List all of the keys:

pkcs11-tool --list-objects
pkcs15-tool --list-keys

Get Public Key:

pkcs15-tool --read-public-key 10

Test the HSM:

pkcs11-tool --test --login --pin 111111

Backup/Restore Keys

Use the DKEK to save the Keys:

>>> sc-hsm-tool --wrap-key wrap-key-1.bin --key-reference 1 --pin 111111
>>> sc-hsm-tool --wrap-key wrap-key-2.bin --key-reference 2 --pin 111111

Restore the keys:

sc-hsm-tool --unwrap-key wrap-key-1.bin --key-reference 1 --pin 111111

Using Nitro Key with OpenSSL

The configuration file below shows how to let openssl use the HSM.

hsm.conf:

# PKCS11 engine config
openssl_conf = openssl_def

[openssl_def]
engines = engine_section

[req]
distinguished_name = req_distinguished_name

[req_distinguished_name]
# empty.

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = /usr/lib/opensc-pkcs11.so
PIN = 648219
init = 0

Launching OpenSSL with the config:

OPENSSL_CONF=./hsm.conf openssl engine

Generating a Certificate Signing Request with OpenSSL:

OPENSSL_CONF=./hsm.conf openssl req -engine pkcs11 -keyform engine -new -key 1:10 -sha256 -out "generalzero.org.csr" -subj "/C=NY/ST=NY/L=NY/O=GeneralZer0/OU=/CN=generalzero.org"
# The 1:10 is the slotid:keyid

Generating a Self Signed Certificate with OpenSSL:

OPENSSL_CONF=./hsm.conf openssl req -engine pkcs11 -keyform engine -new -key 1:10 -nodes -days 3560 -x509 -sha256 -out "generalzero.org.csr" -subj "/C=NY/ST=NY/L=NY/O=GeneralZer0/OU=/CN=generalzero.org"
# The 1:10 is the slotid:keyid

Encrypt Data using OpenSSL:

# Export Public key
pkcs15-tool --read-public-key 10
# Encrypt with Public Key
openssl rsautl -inkey publickey.pem -pubin -encrypt -pkcs -in smallfile -out encryptedsmallfile.pkcs1

Decrypting data with OpenSSL:

pkcs15-crypt --decipher --key 10 --input encryptedsmallfile.pkcs1 --pkcs1 --raw > decryptedsmallfile

Using Nitro Key with OpenSSH

Using Nitro Key with Thunderbird

Using Nitro Key with Apache

https://raymii.org/s/articles/Nitrokey_HSM_in_Apache_with_mod_nss.html