[openssl-users] OpenSSL Engine for TPM

Michael Wojcik Michael.Wojcik at microfocus.com
Fri Jul 7 16:42:28 UTC 2017

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Blumenthal, Uri - 0553 - MITLL
> Sent: Friday, July 07, 2017 10:03
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] OpenSSL Engine for TPM
> And in most cases (except those involving TPM-based platform attestation,
> which I don’t think has anything to do with OpenSSL use cases),  a separate
> hardware token (like a smartcard, or an HSM) would IMHO be a much better
> and more usable choice. PKCS#11 engine (libp11) to access those is quite
> popular and work well.

Agreed. I've had good results with OpenSC-based devices such as the NitroKey HSM using the OpenSSL PKCS#11 engine. Requires installing the various prereqs and a bit of setup and experimentation, but it all works.

On Windows, the CAPI engine can also generally be used to drive HSMs, if they don't have a suitable PKCS#11 driver.

Michael Wojcik 
Distinguished Engineer, Micro Focus 


More information about the openssl-users mailing list