Appendices

Compatible PKCS #11 Devices

This section has informative character. Knot DNS has been tested with several devices which claim to support PKCS #11 interface. The following table indicates which algorithms and operations have been observed to work. Please notice minimal GnuTLS library version required for particular algorithm support.

	Generate	Import	EDDSA	ECDSA	RSA	Tested
Feitian ePass 2003	yes	n/a	n/a	n/a	1024 2048	2017-07
SafeNet Network HSM (Luna SA 4)	yes	n/a	n/a	n/a	1024 2048 4096	2017-07
SoftHSM 2.0 [1]	yes	yes	ed25519 ed448	256 384	1024 2048 4096	2025-12
Trustway Proteccio NetHSM	yes	ECDSA only	n/a	256 384	1024 2048 4096	2019-03
Ultra Electronics CIS Keyper Plus (Model 9860-2)	yes	RSA only	n/a	256 384	1024 2048 4096	2020-01
Utimaco SecurityServer (V4) [2]	yes	yes	n/a	256 384	1024 2048 4096	2018-09
Luna Cloud HSM (non-FIPS)	yes	n/a	n/a	256 384	1024 2048 4096	2025-11
Luna Network HSM (non-FIPS)	yes	n/a	ed448	256 384	1024 2048 4096	2025-12

[1]

Algorithms supported depend on support in OpenSSL on which SoftHSM relies. A command similar to the following may be used to verify what algorithms are supported: $ pkcs11-tool --modul /usr/lib64/pkcs11/libsofthsm2.so -M.

[2]

Requires setting the number of background workers to 1!