HSM support HSM/PKCS #11 support for passwords

Airlock IAM supports HSM (hardware security modules) with a PKCS #11 interface for the following use-cases:hardware mdouels to encrypt and decrypt password hashes and for end-to-end encryption of user passwords.

  • Encrypt password hashes before storing them in the user database.
  • Password end-to-end encryption.

The instructions have been tested with SoftHSM and SafeNet Luna, but should work with any compatible PKCS#11 token.


For this guide, the following assumptions are made:

  • A Hardware Security Module (HSM) is deployed on the network
  • The required key material is provisioned on the HSM. Use the HSM interface to manage the keys.
    • For End-To-End Encryption: The HSM has to provide the appropriate key (usually a Certificate containing an RSA Key) for the alias configured in IAM.
    • For the Encrypted Hash Function: The HSM has to provide the appropriate secret key entry (e.g. an AES key) for the alias and key type configured in IAM.
  • A connection is established between the system running Airlock IAM and the HSM
  • The PKCS #11 native extensions of the HSM are installed on the system running Airlock IAM
  • TCPKeepAlive should be enabled on both the HSM and the client. On the client, add the following to the client configuration in the section "LunaSA Client":
  • /etc/Chrystoki.conf

     LunaSA Client = {

    If the connection is killed on either side, the Sun PKCS #11 Provider will throw an exception with "java.security.ProviderException: Token has been removed".