PKCS#11
Blockdaemon provides a library that lets you integrate your application with Builder Vault through the PKCS #11 interface. The library has several advanced security features:
Feature | Security Advantage |
---|---|
Configuration protected at rest | Protected configuration prevents an attacker from extracting the Builder Vault TSM credentials from the PKCS #11 configuration. |
PKCS #11 attributes stored and validated on each MPC node | Distributed checking mitigates permission change attacks, and the attacker will have to modify the permission attributes (which are protected) on at least t+1 MPC nodes where t is the security threshold. |
Key shared across MPC nodes | The keys stored in the PKCS #11 module is split between the MPC nodes and secured using MPC algorithms as all other keys protected by the Builder Vault. |
Getting Started
To get started, the following steps need to be followed.
First you need access to an instance of the Builder Vault TSM. One way to get this is with a local deployment of the Builder Vault, as described in our quick start guide.
Then you must ensure that the configuration of each MPC node allows PKCS #11 operations. See TSM PKCS #11 Configuration for more about this.
Then download the PKCS #11 library from our Nexus repository. It is packaged in a tar.gz
file with the configuration tool, the PKCS #11 module and header files. Contact the Blockdaemon support team to obtain credentials for this. Then download the library like this:
curl -u ${NEXUS_USERNAME}:${NEXUS_PASSWORD} https://nexus.sepior.net/repository/libtsmclient/tsm-pkcs11-linux-amd64-68.0.0.tar.gz
After this, you can create a protected configuration using the configuration tool as described in PKCS #11 Configuration. The protected configuration need to be either placed in a file called pkcs11.toml
in the working directory, or you must set an environment variable PKCS11_CONFIGURATION_FILE
that points to the configuration file.
Updated 18 days ago