Quick Start
Set up SoftHSM2, generate your first RSA key pair, and sign data in minutes.
Core Components
Explore the C++ HSM abstraction layer, PKCS#11 daemon, and SoftHSM integration.
Guides
Step-by-step guides for key management, signing, post-quantum crypto, and SD card import.
API Reference
Full reference for the HSM C++ API, Vault, Crypto engine, and PKCS#11 functions.
What is HSM Work?
HSM Work is a C/C++ toolkit that simulates a Hardware Security Module (HSM) environment using SoftHSM2 and the PKCS#11 standard. It provides:- PKCS#11 key operations — initialize tokens, generate RSA/EC key pairs, sign data, and export public keys via
pkcs11-tool - C++ HSM abstraction (
hls-hsm) — a clean API for in-memory key generation and random byte generation - Cryptographic daemon (
pkcs11-daemon) — a persistent service managing RSA and post-quantum (Dilithium) keys in an SQLite-backed vault - Post-quantum readiness — integrates liboqs for Dilithium key generation alongside classical RSA
- SD card key import — watches removable media ports and imports keys into the vault automatically
- Shell automation —
hsm_sign_verify.shfor end-to-end sign/verify workflows
Architecture overview
Key features
PKCS#11 Standard
Full PKCS#11 compliance via SoftHSM2 — industry-standard interface for HSM operations on commodity hardware.
RSA Key Management
Generate 2048-bit RSA key pairs, sign with RSA-PKCS or ECDSA mechanisms, and export public keys in DER/PEM format.
Post-Quantum Crypto
Dilithium key generation via liboqs for quantum-resistant signatures alongside classical algorithms.
Persistent Key Vault
SQLite-backed vault in the PKCS#11 daemon stores key metadata and blobs for RSA and PQC key types.
SD Card Import
Background thread watches
/media/sdcard* mount points and imports keys from removable media.C++ Abstraction
The
hls-hsm library provides a clean C++ API over raw PKCS#11 for RSA, AES key generation, and secure random bytes.