Skip to main content
HSM Work is a software toolkit for hardware security module (HSM) simulation and cryptographic operations. It is designed for embedded and firmware development teams who need a reproducible, software-based HSM environment for key generation, signing, and post-quantum cryptography — without requiring physical HSM hardware.
HSM Work uses SoftHSM2 as its token backend, which fully implements the PKCS#11 interface. All key material is stored in software and is suitable for development and testing environments.

Components

hls-hsm

A C++17 library that wraps common HSM operations — RSA key generation, AES key generation, random byte generation, and key retrieval — behind a clean HSM class interface.

pkcs11-daemon

A long-running C++ daemon that manages a SQLite-backed key vault, auto-imports keys from SD card ports, and initializes both RSA and post-quantum (Dilithium) keys on startup.

SoftHSM2 integration

Shell tooling and scripts that interface with SoftHSM2 via pkcs11-tool for token initialization, RSA key pair generation, signing, and signature verification.

Architecture

┌─────────────────────────────────────────────────────────────┐
│                        Applications                         │
│              (firmware build tools, CI pipelines)           │
└────────────────────┬────────────────────┬───────────────────┘
                     │                    │
          ┌──────────▼──────────┐  ┌──────▼──────────────────┐
          │      hls-hsm        │  │     pkcs11-daemon        │
          │  (C++ HSM library)  │  │  (key vault + watcher)  │
          │                     │  │                          │
          │  HSM::init()        │  │  Vault (SQLite3)         │
          │  generate_rsa_key() │  │  SDImporter              │
          │  generate_aes_key() │  │  Crypto::generate_rsa()  │
          │  get_key()          │  │  Crypto::pqc_generate()  │
          │  get_random_bytes() │  │  (Dilithium / liboqs)    │
          └──────────┬──────────┘  └──────────────────────────┘

          ┌──────────▼──────────────────────────────────────────┐
          │                  SoftHSM2 token                      │
          │         PKCS#11 interface (libsofthsm2.so)           │
          │                                                      │
          │  pkcs11-tool  ──►  sign / verify / keygen            │
          │  hsm_sign_verify.sh  ──►  automated sign+verify      │
          └──────────────────────────────────────────────────────┘

System requirements

RequirementDetails
Operating systemLinux (Debian/Ubuntu recommended)
SoftHSM2Token backend for PKCS#11 operations
OpenSC / pkcs11-toolPKCS#11 command-line interface
OpenSSLPublic key export and signature verification
liboqsPost-quantum cryptography (Dilithium) for pkcs11-daemon
SQLite3Key vault storage for pkcs11-daemon
CMake3.20 or later
Compilergcc/g++ with C++17 support
The pkcs11-daemon component depends on liboqs for post-quantum key generation (Crypto::pqc_generate()). If you only need the hls-hsm library and SoftHSM2 signing workflow, liboqs is not required.

Next steps

Quickstart

Install prerequisites and complete a full sign and verify workflow in under 10 minutes.

hls-hsm library

Explore the C++ HSM class, its methods, and how to integrate it into your build with CMake.

pkcs11-daemon

Learn how the daemon manages key storage, SD card import, and post-quantum key initialization.

Sign and verify

Detailed reference for the hsm_sign_verify.sh script and manual signing workflows.

Build docs developers (and LLMs) love

Get started for freeTalk to us