PKCS#11 Proxy Key Configurations
Basic Settings
The basic settings section defines the common metadata for a PKCS#11 Proxy key configuration and identifies which key storage driver OTPKI will use for this configuration.
Name
Use Name to give the key configuration a clear label that operators can recognize later when selecting storage for keys or reviewing existing configurations.
Description
Use Description to record the purpose of the configuration, the environment it belongs to, or any operational notes that will help administrators distinguish it from other PKCS#11 Proxy configurations.
Key Storage Driver
Key Storage Driver identifies the backing plugin used to store and operate keys. For this configuration, the driver is fixed toKEY_DRIVER_TYPE_PKCS11.
Driver Configuration
The driver configuration section contains the PKCS#11 Proxy-specific settings that OTPKI uses when working with the proxy service. For more information about the OTPKI PKCS#11 Proxy architecture as well as how OTPKI integrates with various commercial HSM models, refer to the PKCS#11 Integration page.
For PKCS#11 Proxy, the driver configuration entered on this page, including the server address and optional config ID, is stored by OTPKI and encrypted at rest.
Server Address
Use Server Address to specify the PKCS#11 Proxy server that OTPKI should connect to.
This must resolve to the listen_address configured on the proxy host.
Config Id
Use Config Id to select which HSM slot configuration on the proxy OTPKI should use.
The value must match the id of an entry under hsm_configs in the proxy's config file.
Leave this blank to use the slot the proxy has marked as default: true.
Configuration IDs let a single PKCS#11 Proxy instance expose multiple HSM slots, each identified by slot_id or token label.
Security
The security section defines how OTPKI protects sensitive key material and backend-specific key data associated with a PKCS#11 Proxy key configuration.
Encryption Key
Use Encryption Key to select the cryptographic key OTPKI will use to encrypt stored key data that must be protected at rest.
The selected key must allow encrypt anddecrypt usage so OTPKI can protect and later read the stored configuration data.
If no encryption key is selected, OTPKI falls back to the password supplied through the OTPKI_KEY_ENCRYPTION_PASSWORDenvironment variable, supplied during deployment. If that value is blank, the data is encrypted using an empty string ("") as the password.
For PKCS#11 Proxy, the Encryption Key is used to encrypt the key data stored for each OTPKI key. This data contains the HSM key label that OTPKI uses to reference the key through the proxy.
Activation
The activation section controls whether a key configuration must be unlocked before OTPKI can use it.
Enable Activation
Use Enable Activation when you want OTPKI to require an activation code before the key configuration can be used.
If this option is turned off, the configuration is treated as always active and no activation step is required.
Auto Activation
Use Auto Activation when you want OTPKI to remember the activation code and activate the configuration automatically when the application starts.
When this is enabled, OTPKI stores the activation code in encrypted form for later reuse.
Verify Activation
Use Verify Activation when you want OTPKI to check that the activation code matches a specific value.
Activation Code To Verify
Use Activation Code To Verify to provide the value that OTPKI compares against during activation when verification is enabled.
This is mainly useful for key storage backends that do not have their own external PIN or unlock check and need OTPKI to enforce the expected activation code itself.
For PKCS#11 Proxy, activation is usually required because OTPKI uses the activation code as the PIN when connecting through the proxy to list keys, check key access, generate keys, sign, decrypt, and import HSM-backed keys.



