5 This feature is experimental, use at your own risk!
8 slot IDs are deprecated, and you are expected to use slot label instead
10 To enable it, compile PowerDNS Authoritative Server using
11 ``--enable-experimental-pkcs11`` flag on configure. This requires you to
12 have p11-kit libraries and headers.
14 You can also log on to the tokens after starting server, in this case
15 you need to edit your PKCS#11 cryptokey record and remove PIN or set it
16 empty. PIN is required for assigning keys to zone.
22 Due to an interaction between `SoftHSM and Botan <https://github.com/PowerDNS/pdns/issues/2496>`__,
23 the PowerDNS Authoritative Server **will most likely** crash on exit when built with ``--enable-botan1.10 --enable-experimental-pkcs11``.
24 This is the case with the packages provided from the PowerDNS repositories.
26 To test this feature, a software HSM can be used. It is **not
27 recommended** to use this in production.
29 Instructions on how to setup SoftHSM to work with the feature after
30 compilation on ubuntu/debian (tested with Ubuntu 12 and 14). -
31 ``apt-get install softhsm p11-kit opensc`` - create directory
32 /etc/pkcs11/modules - Add file called 'softhsm' there with (on newer
33 versions, use softhsm.module)
34 ``module: /home/cmouse/softhsm/lib/softhsm/libsofthsm.so managed: yes``
35 - Verify it works: ``p11-kit -l`` - Create at least two tokens (ksk and
36 zsk) with (slot-number starts from 0)
41 sudo softhsm --init-token --slot slot-number --label zone-ksk|zone-zsk --pin some-pin --so-pin another-pin
44 - Using pkcs11-tool, initialize your new keys.
48 sudo pkcs11-tool --module=/home/cmouse/softhsm/lib/softhsm/libsofthsm.so -l -p some-pin -k --key-type RSA:2048 -a zone-ksk|zone-zsk --slot-index slot-number
50 - Assign the keys using (note that token label is not necessarily same
51 as object label, see p11-kit -l)
55 pdnsutil hsm assign zone rsasha256 ksk|zsk softhsm token-label pin zone-ksk|zsk
57 - Verify that everything worked, you should see valid data there
61 pdnsutil show-zone zone
63 - SoftHSM signatures are fast enough to be used in live environment.
68 Instructions on how to use CryptAS
69 ```Athena IDProtect Key USB Token V2J`` <http://www.cryptoshop.com/products/smartcards/idprotect-key-j-laser.html>`__
70 Smart Card token on Ubuntu 14. - install the manufacturer\`s support
71 software on your system and initialize the Smart Card token as per
72 instructions (do not use PIV). - apt-get install p11-kit opensc - create
73 directory /etc/pkcs11/modules - Add file called 'athena.module' with
79 module: /lib64/libASEP11.so
83 - Verify it worked, it should resemble output below. do not continue if
84 this does not show up.
89 athena: /lib64/libASEP11.so
90 library-description: ASE Cryptoki
91 library-manufacturer: Athena Smartcard Solutions
93 token: IDProtect#0A50123456789
94 manufacturer: Athena Smartcard Solutions
96 serial-number: 0A50123456789
105 - Using pkcs11-tool, initialize your new keys. After this IDProtect
106 Manager no longer can show your token certificates and keys, at least
111 pkcs11-tool --module=/home/cmouse/softhsm/lib/softhsm/libsofthsm.so -l -p some-pin -k --key-type RSA:2048 -a zone-ksk
112 pkcs11-tool --module=/home/cmouse/softhsm/lib/softhsm/libsofthsm.so -l -p some-pin -k --key-type RSA:2048 -a zone-zsk
114 - Verify that keys are there.
118 $ pkcs11-tool --module=/lib64/libASEP11.so -l -p some-pin -O
119 Using slot 0 with a present token (0x0)
120 Public Key Object; RSA 2048 bits
122 Usage: encrypt, verify, wrap
123 Public Key Object; RSA 2048 bits
125 Usage: encrypt, verify, wrap
126 Private Key Object; RSA
128 Usage: decrypt, sign, unwrap
129 Private Key Object; RSA
131 Usage: decrypt, sign, unwrap
133 - Assign the keys using
137 pdnsutil hsm assign zone rsasha256 ksk|zsk athena IDProtect#0A50123456789 pin zone-ksk|zsk
139 - Verify that everything worked, you should see valid data there.
143 pdnsutil show-zone zone
145 - Note that the physical token is pretty slow, so you have to use it as
146 hidden master. It has been observed to produce about
147 1.5signatures/second.