Appendices¶
Compatible PKCS #11 Devices¶
This section has informative character. Knot DNS has been tested with several devices which claim to support PKCS #11 interface. The following table indicates which algorithms and operations have been observed to work. Please notice minimal GnuTLS library version required for particular algorithm support.
| Key generate | Key import | ED25519 256-bit | ECDSA 256-bit | ECDSA 384-bit | RSA 1024-bit | RSA 2048-bit | RSA 4096-bit | |
|---|---|---|---|---|---|---|---|---|
| Feitian ePass 2003 | yes | no | no | no | no | yes | yes | no |
| SafeNet Network HSM (Luna SA 4) | yes | no | no | no | no | yes | yes | yes |
| SoftHSM 2.0 [1] | yes | yes | yes | yes | yes | yes | yes | yes |
| Trustway Proteccio NetHSM | yes | ECDSA only | no | yes | yes | yes | yes | yes |
| Ultra Electronics CIS Keyper Plus (Model 9860-2) | yes | RSA only | no | yes | yes | yes | yes | yes |
| Utimaco SecurityServer (V4) [2] | yes | yes | no | yes | yes | yes | yes | yes |
| [1] | Algorithms supported depend on support in OpenSSL on which SoftHSM relies.
A command similar to the following may be used to verify what algorithms are supported:
$ pkcs11-tool --modul /usr/lib64/pkcs11/libsofthsm2.so -M. |
| [2] | Requires setting the number of background workers to 1! |
