PKCS#11

Blockdaemon provides a library that lets you integrate your application with Builder Vault through the PKCS #11 interface. The library has several advanced security features:

FeatureSecurity Advantage
Configuration protected at restProtected configuration prevents an attacker from extracting the Builder Vault TSM credentials from the PKCS #11 configuration.
PKCS #11 attributes stored and validated on each MPC nodeDistributed checking mitigates permission change attacks, and the attacker will have to modify the permission attributes (which are protected) on at least t+1 MPC nodes where t is the security threshold.
Key shared across MPC nodesThe keys stored in the PKCS #11 module is split between the MPC nodes and secured using MPC algorithms as all other keys protected by the Builder Vault.

Getting Started

To get started, the following steps need to be followed.

First you need access to an instance of the Builder Vault TSM. One way to get this is with a local deployment of the Builder Vault, as described in our quick start guide.

Then you must ensure that the configuration of each MPC node allows PKCS #11 operations. See TSM PKCS #11 Configuration for more about this.

Then download the PKCS #11 library from our Nexus repository. It is packaged in a tar.gz file with the configuration tool, the PKCS #11 module and header files. Contact the Blockdaemon support team to obtain credentials for this. Then download the library like this:

curl -u ${NEXUS_USERNAME}:${NEXUS_PASSWORD} https://nexus.sepior.net/repository/libtsmclient/tsm-pkcs11-linux-amd64-68.0.0.tar.gz

After this, you can create a protected configuration using the configuration tool as described in PKCS #11 Configuration. The protected configuration need to be either placed in a file called pkcs11.toml in the working directory, or you must set an environment variable PKCS11_CONFIGURATION_FILE that points to the configuration file.