Skip to main content
The SDImporter class in pkcs11-daemon/sd_import.cpp monitors up to three SD card mount points and is intended to automatically import keys from removable media into the vault.
Key reading and import from the SD card is not yet implemented. The source contains a TODO at the point where key files would be read and passed to vault.store_key(). Detection of the mount point works, but no key material is transferred to the vault.

How it works

The SDImporter constructor takes a Vault reference, which it stores for use during import once that is implemented: 
SDImporter importer(vault);
The watch_ports() method polls three fixed paths every 10 seconds: 
void SDImporter::watch_ports() {
    while (true) {
        for (int port = 0; port < 3; port++) {
            std::string path = "/media/sdcard" + std::to_string(port);
            if (std::filesystem::exists(path)) {
                std::cout << "SD card detected at " << path << "\n";
                // TODO: safely import keys from SD card to vault
            }
        }
        std::this_thread::sleep_for(std::chrono::seconds(10));
    }
}
The three monitored paths are:
Mount pointPort index
/media/sdcard00
/media/sdcard11
/media/sdcard22

Thread integration

The daemon spawns the watcher on a background thread at startup, alongside vault initialization: 
Vault vault("vault.db");
vault.init();
SDImporter importer(vault);
std::thread sd_thread(&SDImporter::watch_ports, &importer);
The thread runs indefinitely. There is currently no shutdown signal or join call — the watcher exits when the daemon process terminates.

Intended workflow (planned)

Once the import logic is implemented, the workflow will be:
  1. An SD card mounts at /media/sdcard0 (or sdcard1, sdcard2)
  2. watch_ports() detects the path exists on the next poll cycle
  3. The watcher reads a key file from the SD card
  4. The key material is passed to vault.store_key(label, type, data)
  5. The key is available in vault.db for use by the daemon

Testing detection

You can verify that the watcher correctly detects mount points without physical hardware by creating the directory manually.
1

Start the daemon

Build and run the pkcs11-daemon. The SD watcher thread starts automatically.
./pkcs11-daemon
2

Create a simulated mount point

sudo mkdir -p /media/sdcard0
3

Wait for the next poll cycle

The watcher sleeps 10 seconds between polls. After up to 10 seconds, the daemon should print:
SD card detected at /media/sdcard0
4

Clean up

sudo rmdir /media/sdcard0
Detection confirms the polling loop and filesystem::exists check are working. No key data is read or written to the vault during this test — that code path is not yet implemented.

Build docs developers (and LLMs) love

Get started for freeTalk to us