PKCS #11 Configuration

The PKCS #11 configuration is protected against tampering and access tokens like API Key are encrypted. To facilitate creation of a protected configuration, the pkcs11-config-tool is part of the release. The configuration is encrypted with the PIN that is used to login to the PKCS #11 library.

This tool offers two ways to create a configuration, as explained below.

Protect an Unprotected Configuration

The configuration contains a Library definition and some nodes that represent the MPC nodes that the library will use to handle the PKCS #11 objects. An example of a configuration can be seen here:

[Library]
Label="Configuration Label"
LogLevel="Info"

[Nodes.0]
Address="http://localhost:8080"
APIKey="apikey0"

[Nodes.1]
Address="http://localhost:8081"
APIKey="apikey1"

[Nodes.2]
Address="http://localhost:8082"
APIKey="apikey2"

The tool can help create a protected configuration from an unprotected configuration. This can either be done using a command line prompt to input password to prevent giving passwords on the command line:

$ ./pkcs11-config-tool protect -config pkcs11-clear.toml -out pkcs11.toml
Input password:     
$ 

As an alternative, the password can also be provided on stdin, which allows for automated creation of the protected configuration:

$ echo -n "password" | ./pkcs11-config-tool protect -config pkcs11-clear.toml -out pkcs11.toml -stdin

📘

Protect your password

Note that the above use of the echo command will show the password in the command history, so it should not be used for any sensitive password.

A more secure alternative is to echo an environment variable set by the system or to use cat from some file that contains the password.

Create Configuration from Scratch

The tool will also assist the user in creating a configuration from scratch. This is done on the command line:

$ ./pkcs11-config-tool create -out pkcs11.toml
Input Library Label:       My Library

Input Add Node (yes/no):   yes
Input Node Index (int):    0
Input Node Address:        http://localhost:8080
Input Node API Key:        apikey0

Input Add Node (yes/no):   yes
Input Node Index (int):    1
Input Node Address:        http://localhost:8081
Input Node API Key:        apikey1

Input Add Node (yes/no):   yes
Input Node Index (int):    2
Input Node Address:        http://localhost:8082
Input Node API Key:        apikey2

Input Add Node (yes/no):   no

Input password:      
$