Note
This feature is experimental, use at your own risk!
Deprecated since version 4.0.0: slot IDs are deprecated, and you are expected to use slot label instead
To enable it, compile PowerDNS Authoritative Server using
--enable-experimental-pkcs11 flag on configure. This requires you to
have p11-kit libraries and headers.
You can also log on to the tokens after starting server, in this case you need to edit your PKCS#11 cryptokey record and remove PIN or set it empty. PIN is required for assigning keys to zone.
Warning
Due to an interaction between SoftHSM and Botan,
the PowerDNS Authoritative Server will most likely crash on exit when built with --enable-botan1.10 --enable-experimental-pkcs11.
This is the case with the packages provided from the PowerDNS repositories.
To test this feature, a software HSM can be used. It is not recommended to use this in production.
Instructions on how to setup SoftHSM to work with the feature after
compilation on ubuntu/debian (tested with Ubuntu 12 and 14). -
apt-get install softhsm p11-kit opensc - create directory
/etc/pkcs11/modules - Add file called ‘softhsm’ there with (on newer
versions, use softhsm.module)
module: /home/cmouse/softhsm/lib/softhsm/libsofthsm.so managed: yes
- Verify it works: p11-kit -l - Create at least two tokens (ksk and
zsk) with (slot-number starts from 0)
```
sudo softhsm --init-token --slot slot-number --label zone-ksk|zone-zsk --pin some-pin --so-pin another-pin
```
Using pkcs11-tool, initialize your new keys.
sudo pkcs11-tool --module=/home/cmouse/softhsm/lib/softhsm/libsofthsm.so -l -p some-pin -k --key-type RSA:2048 -a zone-ksk|zone-zsk --slot-index slot-number
Assign the keys using (note that token label is not necessarily same as object label, see p11-kit -l)
pdnsutil hsm assign zone rsasha256 ksk|zsk softhsm token-label pin zone-ksk|zsk
Verify that everything worked, you should see valid data there
pdnsutil show-zone zone
SoftHSM signatures are fast enough to be used in live environment.
Instructions on how to use CryptAS
`Athena IDProtect Key USB Token V2J <http://www.cryptoshop.com/products/smartcards/idprotect-key-j-laser.html>`__
Smart Card token on Ubuntu 14. - install the manufacturer`s support
software on your system and initialize the Smart Card token as per
instructions (do not use PIV). - apt-get install p11-kit opensc - create
directory /etc/pkcs11/modules - Add file called ‘athena.module’ with
content
```
module: /lib64/libASEP11.so
managed: yes
```
Verify it worked, it should resemble output below. do not continue if this does not show up.
$ p11-kit -l
athena: /lib64/libASEP11.so
library-description: ASE Cryptoki
library-manufacturer: Athena Smartcard Solutions
library-version: 3.1
token: IDProtect#0A50123456789
manufacturer: Athena Smartcard Solutions
model: IDProtect
serial-number: 0A50123456789
hardware-version: 1.0
firmware-version: 1.0
flags:
rng
login-required
user-pin-initialized
token-initialized
Using pkcs11-tool, initialize your new keys. After this IDProtect Manager no longer can show your token certificates and keys, at least on version v6.23.04.
pkcs11-tool --module=/home/cmouse/softhsm/lib/softhsm/libsofthsm.so -l -p some-pin -k --key-type RSA:2048 -a zone-ksk
pkcs11-tool --module=/home/cmouse/softhsm/lib/softhsm/libsofthsm.so -l -p some-pin -k --key-type RSA:2048 -a zone-zsk
Verify that keys are there.
$ pkcs11-tool --module=/lib64/libASEP11.so -l -p some-pin -O
Using slot 0 with a present token (0x0)
Public Key Object; RSA 2048 bits
label: zone-ksk
Usage: encrypt, verify, wrap
Public Key Object; RSA 2048 bits
label: zone-zsk
Usage: encrypt, verify, wrap
Private Key Object; RSA
label: zone-ksk
Usage: decrypt, sign, unwrap
Private Key Object; RSA
label: zone-zsk
Usage: decrypt, sign, unwrap
Assign the keys using
pdnsutil hsm assign zone rsasha256 ksk|zsk athena IDProtect#0A50123456789 pin zone-ksk|zsk
Verify that everything worked, you should see valid data there.
pdnsutil show-zone zone
Note that the physical token is pretty slow, so you have to use it as hidden master. It has been observed to produce about 1.5signatures/second.