[Opendnssec-user] How to get started with SoftHSM + OpenDNSSEC?

Rickard Bellgrim rickard.bellgrim at iis.se
Mon Feb 7 10:27:04 UTC 2011

On 5 feb 2011, at 17.07, Eivind Olsen wrote:

> Since this is (initially) just for myself, I'll not be spending money on a
> hardware HSM, so I'm planning on using the SoftHSM, preferrably on
> FreeBSD. The basic concept should still be the same if I ever get to do
> this in a larger scale with more stringent security requirements, but I'd
> then quite possibly be using a hardware HSM solution instead of the
> SoftHSM?

Yes, no problem. They are using the same interface. Just do a key rollover when switching HSM:s.

> Am I meant to just make up a unique ID for the "--id" part? Perhaps just
> incrementing by 1 every time?
> Is there any "best practices" regarding what to put as the label?

The important thing is to pick an ID that does not exist. Since you are adding the first key, then the choice is yours.

OpenDNSSEC uses something similar to UUID. 32 random hexcharacters. It is very unlikely that the generated ID exists, but we do check if it exists just to be sure. When I import keys I usually just pick a number e.g. 1000. And then increment this number with one for each key.

> And will I assign a separate "--slot" for each key?

You can store all of the keys in one slot. Or as OpenDNSSEC calls it, repository.

> Is there some way I can list the contents of the SoftHSM database? Such
> as, seeing which keys are in it? "softhsm --show-slots" only lists the
> slots, not the keys kept there.

If the slot in SoftHSM is configured with OpenDNSSEC, then you can do this:
ods-hsmutil list

or you can use the tool from OpenSC:
pkcs11-tool --module /usr/local/lib/libsofthsm.so -O --slot 1 --pin 1234

> Am I somewhat on the right track, or have I gotten it all completely wrong?

You are on the right track. More info can be found here:

// Rickard

More information about the Opendnssec-user mailing list