[openssl-users] Storing private key on tokens

Michael Wojcik Michael.Wojcik at microfocus.com
Wed Sep 27 18:02:23 UTC 2017

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Dmitry Belyavsky
> Sent: Wednesday, September 27, 2017 06:22
> To: openssl-users at openssl.org
> Subject: [openssl-users] Storing private key on tokens

> What is the most natural way to generate private keys using openssl but store them on a specific hardware tokens? 
> Reading/writing is implemented via engine mechanism.

The tokens / HSMs I've used don't let you generate a key somewhere else and install it on the token. They insist on doing the key generation locally. That is, after all, part of the point of using a token - the key never leaves it.

Some tokens and HSMs support key backup and restore, e.g. Nitrokey HSM's DKEK share mechanism, but that's deliberately not open to "restoring" some arbitrary private key onto the device.

So this wouldn't make much sense for the pkcs11 engine, even if PKCS#11 provided an API for it.

Michael Wojcik 
Distinguished Engineer, Micro Focus 

More information about the openssl-users mailing list