[Opendnssec-user] SoftHSMv2: key extraction

Rick van Rein rick at openfortress.nl
Fri Jun 20 16:27:21 UTC 2014

Hello Petr,

> Unfortunately, it is absolutely crucial feature and we can't migrate to v2 until we find a way how to do key exports.

Are you talking about wrapped export, or plaintext export of private keys?

> I understand that it is not desirable to enable this by default, it is perfectly fine to provide key export in separate binary (i.e. not built-in into softhsm2-util).

What you want is a bypass for private key protection… which is exactly what PKCS #11 is designed to avoid.

This sounds to me like you should not be looking for problem resolution in SoftHSM, but in the surrounding process.  It might transpire that your application is unsuitable for use with PKCS #11, or requires more advanced cryptography that can deal with encapsulated private keys.


More information about the Opendnssec-user mailing list