PKCS#11 Support

PKCS#11 support for Zymkey is now available from our main repo for Raspbian Jessie/Stretch/Buster and Ubuntu Bionic 64-bit. This package is called zkpkcs11 and can be installed on existing installations with:

sudo apt -y update
sudo apt -y upgrade

If you are working off of a fresh install of the Zymbit host packages as detailed in Getting Started, package zkpkcs11 will come over automatically.

We have based the zkpkcs11 package on the SoftHSM2 source code. We have added 2 extra features to this:

  1. Zymkey private keys can be used for signing by specifying --use-zkslot when creating a new key object with zk_pkcs11-util. This only applies to NIST-P256 (secp256r1) for Zymkey 4i. Future Zymbit products will support secp256k1 as well.
  2. Even though SoftHSM2 does key wrapping to protect its key objects, Zymbit goes a step further and protects all key material in its private object store with its data lock/unlock feature, even for slots that are Zymkey does not support, such as RSA. For example, if you wanted to setup a zkpkcs11 slot that was RSA, you could do that as well and, even though all actions would be done by OpenSSL in software on the host computer rather than the Zymkey, Zymkey would still use its lock/unlock feature to protect the generated RSA private key.

Example:
Let’s say you need to create a slot that uses Zymkey as the root of trust for ECDSA signature generation as part of a framework like AWS Greengrass.

  1. First, add your user account to the group zkpkcs11:
    sudo usermod -a -G zkpkcs11 <username>
  2. Exit and re-enter your ssh or console session for the new group to take effect.
  3. Initialize a new token at slot 0:
    zk_pkcs11-util --init-token --slot 0 --label "greengrass"
    Enter the SO PIN and the User PIN when prompted. Be sure to note the new slot reassignment when the message The token has been initialized and is reassigned to slot <new slot number> shows up.
  4. Create a new key object which specifies that a zymkey private key slot should be used. Here we’ll use Zymkey key slot 2:
    zk_pkcs11-util --use-zkslot 2 --slot <new slot number> --label iotkey --id 0000
    Be sure to use the slot reassignment that was printed out in step 3.

That’s it! You should now have a PKCS#11 object defined that knows how to use Zymkey when that slot is called out.