HSM - Documentation

Link to this headingHardware Security Modules

Source

Link to this headingNitro Key Setup

Install Packages:

pacman -Sy ccid opensc pcsc-tools

Start services:

systemctl enable pcscd systemctl start pcscd

Link to this headingInitialize device

Create Device Key Encryption Key for device:

sc-hsm-tool --create-dkek-share dkek-share-1.pbe [...] DKEK share created and saved to dkek-share-1.pbe

Initialize HSM:

sc-hsm-tool --initialize --so-pin 55555555555555555 --pin 111111 --dkek-shares 1

Import DKEK to HSM:

>>> sc-hsm-tool --import-dkek-share dkek-share-1.pbe Using reader with a card: Nitrokey Nitrokey HSM (DENK01019190000 ) 00 00 Enter password to decrypt DKEK share : Deciphering DKEK share, please wait... DKEK share imported DKEK shares : 1 DKEK key check value : 72B07918E5C4F686

Change the SO-Pin:

pkcs11-tool --login --login-type so --so-pin 55555555555555555 --change-pin --new-pin [NEW_PIN]

Change the Key Pin:

pkcs11-tool --login --pin 111111 --change-pin --new-pin

Link to this headingCreate Keys

Find out what keys can be created:

pkcs11-tool -M Using slot 0 with a present token (0x0) Supported mechanisms: SHA-1, digest SHA224, digest SHA256, digest SHA384, digest SHA512, digest MD5, digest RIPEMD160, digest GOSTR3411, digest ECDSA, keySize={192,521}, hw, sign, verify, EC F_P, EC parameters, EC OID, EC uncompressed ECDSA-SHA384, keySize={192,521}, sign, verify ECDSA-SHA512, keySize={192,521}, sign, verify ECDSA-SHA1, keySize={192,521}, hw, sign, verify, EC F_P, EC parameters, EC OID, EC uncompressed ECDSA-SHA224, keySize={192,521}, hw, sign, verify, EC F_P, EC parameters, EC OID, EC uncompressed ECDSA-SHA256, keySize={192,521}, hw, sign, verify, EC F_P, EC parameters, EC OID, EC uncompressed ECDH1-COFACTOR-DERIVE, keySize={192,521}, hw, derive, EC F_P, EC parameters, EC OID, EC uncompressed ECDH1-DERIVE, keySize={192,521}, hw, derive, EC F_P, EC parameters, EC OID, EC uncompressed ECDSA-KEY-PAIR-GEN, keySize={192,521}, hw, generate_key_pair, EC F_P, EC parameters, EC OID, EC uncompressed RSA-X-509, keySize={1024,4096}, hw, decrypt, sign, verify RSA-PKCS, keySize={1024,4096}, hw, decrypt, sign, verify SHA1-RSA-PKCS, keySize={1024,4096}, sign, verify SHA224-RSA-PKCS, keySize={1024,4096}, sign, verify SHA256-RSA-PKCS, keySize={1024,4096}, sign, verify SHA384-RSA-PKCS, keySize={1024,4096}, sign, verify SHA512-RSA-PKCS, keySize={1024,4096}, sign, verify MD5-RSA-PKCS, keySize={1024,4096}, sign, verify RIPEMD160-RSA-PKCS, keySize={1024,4096}, sign, verify RSA-PKCS-PSS, keySize={1024,4096}, hw, sign, verify SHA1-RSA-PKCS-PSS, keySize={1024,4096}, sign, verify SHA224-RSA-PKCS-PSS, keySize={1024,4096}, sign, verify SHA256-RSA-PKCS-PSS, keySize={1024,4096}, sign, verify SHA384-RSA-PKCS-PSS, keySize={1024,4096}, sign, verify SHA512-RSA-PKCS-PSS, keySize={1024,4096}, sign, verify RSA-PKCS-KEY-PAIR-GEN, keySize={1024,4096}, generate_key_pair

Create RSA Key:

pkcs11-tool --login --pin 111111 --keypairgen --key-type rsa:2048 --id 10 --label "GeneralZer0 GPG Key" pkcs11-tool --login --pin 111111 --keypairgen --key-type rsa:4096 --id 11 --label "GeneralZer0 GPG Key"

Create ECDSAKey:

pkcs11-tool --login --pin 111111 --keypairgen --key-type EC:prime256v1 --id 20 --label "GeneralZer0 SSH Key" pkcs11-tool --login --pin 111111 --keypairgen --key-type EC:prime192v1 --id 21 --label "GeneralZer0 SSH Key" pkcs11-tool --login --pin 111111 --keypairgen --key-type EC:brainpoolP192r1 --id 22 --label "GeneralZer0 SSH Key"

Link to this headingUsage

Generate Random:

>>> pkcs11-tool --generate-random 15 | base64 Using slot 0 with a present token (0x0) oM6c34bXTLBc20mhkzki

List all of the keys:

pkcs11-tool --list-objects pkcs15-tool --list-keys

Get Public Key:

pkcs15-tool --read-public-key 10

Test the HSM:

pkcs11-tool --test --login --pin 111111

Link to this headingBackup/Restore Keys

Use the DKEK to save the Keys:

>>> sc-hsm-tool --wrap-key wrap-key-1.bin --key-reference 1 --pin 111111 >>> sc-hsm-tool --wrap-key wrap-key-2.bin --key-reference 2 --pin 111111

Restore the keys:

sc-hsm-tool --unwrap-key wrap-key-1.bin --key-reference 1 --pin 111111

Link to this headingDelete Keys

sudo pkcs11-tool --login --delete-object --type privkey --id 05

Link to this headingUsing Nitro Key with OpenSSL

The configuration file below shows how to let openssl use the HSM.

hsm.conf:

# PKCS11 engine config openssl_conf = openssl_def [openssl_def] engines = engine_section [req] distinguished_name = req_distinguished_name [req_distinguished_name] # empty. [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/lib/engines/engine_pkcs11.so MODULE_PATH = /usr/lib/opensc-pkcs11.so PIN = 648219 init = 0

Launching OpenSSL with the config:

OPENSSL_CONF=./hsm.conf openssl engine

Generating a Certificate Signing Request with OpenSSL:

OPENSSL_CONF=./hsm.conf openssl req -engine pkcs11 -keyform engine -new -key 1:10 -sha256 -out "generalzero.org.csr" -subj "/C=NY/ST=NY/L=NY/O=GeneralZer0/OU=/CN=generalzero.org" # The 1:10 is the slotid:keyid

Generating a Self Signed Certificate with OpenSSL:

OPENSSL_CONF=./hsm.conf openssl req -engine pkcs11 -keyform engine -new -key 1:10 -nodes -days 3560 -x509 -sha256 -out "generalzero.org.csr" -subj "/C=NY/ST=NY/L=NY/O=GeneralZer0/OU=/CN=generalzero.org" # The 1:10 is the slotid:keyid

Encrypt Data using OpenSSL:

# Export Public key pkcs15-tool --read-public-key 10 # Encrypt with Public Key openssl rsautl -inkey publickey.pem -pubin -encrypt -pkcs -in smallfile -out encryptedsmallfile.pkcs1

Decrypting data with OpenSSL:

pkcs15-crypt --decipher --key 10 --input encryptedsmallfile.pkcs1 --pkcs1 --raw > decryptedsmallfile

Link to this headingUsing Nitro Key with OpenSSH

Link to this headingUsing Nitro Key with Thunderbird

Link to this headingUsing Nitro Key with Apache

https://raymii.org/s/articles/Nitrokey_HSM_in_Apache_with_mod_nss.html