HSM encryption support for passwords

  • Airlock IAM REST API supports HSM (hardware security modules) with a PKCS #11 interface for the following use cases:
  • Encrypt password hashes before storing them in the user database.
  • Password end-to-end encryption.

The instructions have been tested with SoftHSM and SafeNet Luna, but should work with any compatible PKCS#11 token.


  • For this guide, the following assumptions are made:
  • A Hardware Security Module (HSM) is deployed on the network
  • The required key material is provisioned on the HSM. Use the HSM interface to manage the keys.
    • For end-to-end encryption: The HSM has to provide the appropriate key (usually a certificate containing an RSA key) for the alias configured in IAM.
    • For the encrypted hash function feature: The HSM has to provide the appropriate secret key entry (e.g. an AES key) for the alias and key type configured in IAM.
  • A connection is established between the system running Airlock IAM and the HSM.
  • The PKCS #11 native extensions of the HSM are installed on the system running Airlock IAM.
  • TCP keep-alive should be enabled on both the HSM and the client.
  • If the connection is killed on either side, the Sun PKCS #11 Provider will throw an exception with "java.security.ProviderException: Token has been removed".