Appendices

Compatible PKCS #11 Devices

This section has informative character. Knot DNS has been tested with several devices which claim to support PKCS #11 interface. The following table indicates which algorithms and operations have been observed to work. Please notice minimal GnuTLS library version required for particular algorithm support. Factors like firmware and Cryptoki module version might affect the outcome.

	Generate	Import	EDDSA	ECDSA	RSA	Tested
Utimaco SecurityServer (V4) [1]	yes	yes	n/a	256 384	1024 2048 4096	2018-09
Trustway Proteccio NetHSM	yes	ECDSA only	n/a	256 384	1024 2048 4096	2019-03
Ultra Electronics CIS Keyper Plus (Model 9860-2)	yes	RSA only	n/a	256 384	1024 2048 4096	2020-01
SoftHSM 2.0 [2]	yes	yes	ed25519 ed448	256 384	1024 2048 4096	2025-12
Luna Cloud HSM (non-FIPS)	yes	n/a	n/a	256 384	1024 2048 4096	2025-11
Luna Network HSM (non-FIPS)	yes	n/a	ed448	256 384	1024 2048 4096	2025-12
Securosys Primus HSM and CloudHSM (non-FIPS)	yes	yes	ed25519 ed448	256 384	1024 2048 4096	2025-12

[1]

Requires setting the number of background workers to 1!

[2]

Algorithms supported depend on support in OpenSSL on which SoftHSM relies. A command similar to the following may be used to verify what algorithms are supported: $ pkcs11-tool --module /usr/lib64/pkcs11/libsofthsm2.so -M.