PKCS#11 Support

PKCS#11 support for Zymkey is now available from our main repo for Raspbian Jessie/Stretch/Buster and Ubuntu Bionic 64-bit. This package is called zkpkcs11 and can be installed on existing installations with:

sudo apt -y update
sudo apt -y upgrade

If you are working off of a fresh install of the Zymbit host packages as detailed in Getting Started, package zkpkcs11 will come over automatically.

We have based the zkpkcs11 package on the SoftHSM2 source code. We have added 2 extra features to this:

1. Zymkey private keys can be used for signing by specifying --use-zkslot when creating a new key object with zk_pkcs11-util. This only applies to NIST-P256 (secp256r1) for Zymkey 4i. Future Zymbit products will support secp256k1 as well.
2. Even though SoftHSM2 does key wrapping to protect its key objects, Zymbit goes a step further and protects all key material in its private object store with its data lock/unlock feature, even for slots that are Zymkey does not support, such as RSA. For example, if you wanted to setup a zkpkcs11 slot that was RSA, you could do that as well and, even though all actions would be done by OpenSSL in software on the host computer rather than the Zymkey, Zymkey would still use its lock/unlock feature to protect the generated RSA private key.

Example:
Let’s say you need to create a slot that uses Zymkey as the root of trust for ECDSA signature generation as part of a framework like AWS Greengrass.

1. First, add your user account to the group zkpkcs11:
   sudo usermod -a -G zk_pkcs11 <username>
2. Exit and re-enter your ssh or console session for the new group to take effect.
3. Initialize a new token at slot 0:
   zk_pkcs11-util --init-token --slot 0 --label "greengrass"
   Enter the SO PIN and the User PIN when prompted. Be sure to note the new slot reassignment when the message The token has been initialized and is reassigned to slot <new slot number> shows up.
4. Create a new key object which specifies that a zymkey private key slot should be used. Here we’ll use Zymkey key slot 2:
   zk_pkcs11-util --use-zkslot 2 --slot <new slot number> --label iotkey --id 0000
   Be sure to use the slot reassignment that was printed out in step 3.

That’s it! You should now have a PKCS#11 object defined that knows how to use Zymkey when that slot is called out.

When I give command
sudo usermod -a -G zkpkcs11 username
I’m getting response like this
usermod:group ‘zkpkcs11’ does not exist

what is the issue?

There was a typo in our post. The group name is ‘zk_pkcs11’.

Thank you.But Now it is telling
usermode:user ‘username’ does not exist

how and where to create user?

The username is whatever your account username is. For example, the default user on Raspbian is ‘pi’, so the command would be:
sudo usermod -a -G zk_pkcs11 pi

I got this error while creating a new key object:

$ zk_pkcs11-util --init-token --slot 0 --label "greengrass"
=== SO PIN (4-255 characters) ===
Please enter SO PIN: ****
Please reenter SO PIN: ****
=== User PIN (4-255 characters) ===
Please enter user PIN: ****
Please reenter user PIN: ****
The token has been initialized and is reassigned to slot 419907394
$ zk_pkcs11-util --use-zkslot 2 --slot 419907394 --label iotkey --id 0000
=== User PIN (4-255 characters) ===
Please enter user PIN: ****
Please reenter user PIN: ****
ERROR: Could not save the private key in the token. Maybe the algorithm is not supported.

We’ll look into this soon.

Hi Micah,
I tried the same two commands and did not get any error. Can you confirm which model PI you are using, as well as the OS version? Do you have the Zymkey installed and bound, i.e. is the blue LED flashing once every three seconds?

Hey Bob,

I’m using a Raspberry Pi 4 Model B Rev 1.2 on:

$ uname -a
Linux server 5.3.0-1023-raspi2 #25~18.04.1-Ubuntu SMP Tue Apr 14 13:23:56 UTC 2020 aarch64 aarch64 aarch64 GNU/Linux

Yes, the Zymkey is installed and bound. I’m using its lock and unlock functions through the Python API successfully.

Thank you for the information. I see the same issue as you now. We’ll look into it.