In this small repo the idea is to have two different containers:
- A container representing a HSM that exposes a PKCS#11 interface using tls
- A container representing an HSM client that connects to it.
This aims show how a test environment could be setup without the need to have specific hardware for it. This POC works thanks to:
- SoftHSM - A software implementation of a Hardware Security Module;
- pkcs11-proxy - A proxy for accessing the remote PKCS11 HSM interface. It works with a daemon in the server side plus a client module in the client side;
The only dependency for this repo to work is docker. For a better overview of the software used please refer to the specific Dockerfiles.
The containers could probably be smaller and for a more mature solution a multi-stage build should be considered.
- Clone the repo and jump into the repo directory:
git clone https://github.com/rbroggi/softhsm-daemon.git
cd softhsm-daemon
- Build the daemon image:
docker build -t softhsm-daemon .
- Build the client image:
docker build -t softhsm-client -f Dockerfile.client .
- Run the daemon image in a container named 'hsm':
docker run -d --name hsm softhsm-daemon
- Run the client image (in interactive mode ) in a container linking to the daemon container:
docker run --rm -it --link=hsm:hsm softhsm-client bash
- From within the client container list the slots in the daemon container:
pkcs11-tool --module=/usr/local/lib/libpkcs11-proxy.so -L
In this setup the connection between the two containers is encrypted with tls. check inside the image definitions the variables:
- PKCS11_DAEMON_SOCKET
- PKCS11_PROXY_SOCKET
- PKCS11_PROXY_TLS_PSK_FILE