Skip to main content

PKCS#11 Proxy Key Configurations

Basic Settings

The basic settings section defines the common metadata for a PKCS#11 Proxy key configuration and identifies which key storage driver OTPKI will use for this configuration.

PKCS#11 Proxy key configuration basic settings

Name

Use Name to give the key configuration a clear label that operators can recognize later when selecting storage for keys or reviewing existing configurations.

Description

Use Description to record the purpose of the configuration, the environment it belongs to, or any operational notes that will help administrators distinguish it from other PKCS#11 Proxy configurations.

Key Storage Driver

Key Storage Driver identifies the backing plugin used to store and operate keys. For this configuration, the driver is fixed toKEY_DRIVER_TYPE_PKCS11.

Driver Configuration

The driver configuration section contains the PKCS#11 Proxy-specific settings that OTPKI uses when working with the proxy service. For more information about the OTPKI PKCS#11 Proxy architecture as well as how OTPKI integrates with various commercial HSM models, refer to the PKCS#11 Integration page.

For PKCS#11 Proxy, the driver configuration entered on this page, including the server address and optional config ID, is stored by OTPKI and encrypted at rest.

PKCS#11 Proxy key configuration driver configuration settings

Server Address

Use Server Address to specify the PKCS#11 Proxy server that OTPKI should connect to. This must resolve to the listen_address configured on the proxy host.

Config Id

Use Config Id to select which HSM slot configuration on the proxy OTPKI should use. The value must match the id of an entry under hsm_configs in the proxy's config file. Leave this blank to use the slot the proxy has marked as default: true. Configuration IDs let a single PKCS#11 Proxy instance expose multiple HSM slots, each identified by slot_id or token label.

Security

The security section defines how OTPKI protects sensitive key material and backend-specific key data associated with a PKCS#11 Proxy key configuration.

PKCS#11 Proxy key configuration security settings

Encryption Key

Use Encryption Key to select the cryptographic key OTPKI will use to encrypt stored key data that must be protected at rest.

The selected key must allow encrypt anddecrypt usage so OTPKI can protect and later read the stored configuration data.

If no encryption key is selected, OTPKI falls back to the password supplied through the OTPKI_KEY_ENCRYPTION_PASSWORDenvironment variable, supplied during deployment. If that value is blank, the data is encrypted using an empty string ("") as the password.

For PKCS#11 Proxy, the Encryption Key is used to encrypt the key data stored for each OTPKI key. This data contains the HSM key label that OTPKI uses to reference the key through the proxy.

Activation

The activation section controls whether a key configuration must be unlocked before OTPKI can use it.

Key configuration activation settings

Enable Activation

Use Enable Activation when you want OTPKI to require an activation code before the key configuration can be used.

If this option is turned off, the configuration is treated as always active and no activation step is required.

Auto Activation

Use Auto Activation when you want OTPKI to remember the activation code and activate the configuration automatically when the application starts.

When this is enabled, OTPKI stores the activation code in encrypted form for later reuse.

Verify Activation

Use Verify Activation when you want OTPKI to check that the activation code matches a specific value.

Activation Code To Verify

Use Activation Code To Verify to provide the value that OTPKI compares against during activation when verification is enabled.

This is mainly useful for key storage backends that do not have their own external PIN or unlock check and need OTPKI to enforce the expected activation code itself.

For PKCS#11 Proxy, activation is usually required because OTPKI uses the activation code as the PIN when connecting through the proxy to list keys, check key access, generate keys, sign, decrypt, and import HSM-backed keys.