Appendices

Compatible PKCS #11 Devices

This section has informative character. Knot DNS has been tested with several devices which claim to support PKCS #11 interface. The following table indicates which algorithms and operations have been observed to work. Please notice minimal GnuTLS library version required for particular algorithm support. Factors like firmware and Cryptoki module version might affect the outcome.

	Key generate	Key import	ED25519 256-bit	ECDSA 256-bit	ECDSA 384-bit	RSA 1024-bit	RSA 2048-bit	RSA 4096-bit
Feitian ePass 2003	yes	no	no	no	no	yes	yes	no
SafeNet Network HSM (Luna SA 4)	yes	no	no	no	no	yes	yes	yes
SoftHSM 2.0 [1]	yes	yes	yes	yes	yes	yes	yes	yes
Trustway Proteccio NetHSM	yes	ECDSA only	no	yes	yes	yes	yes	yes
Ultra Electronics CIS Keyper Plus (Model 9860-2)	yes	RSA only	no	yes	yes	yes	yes	yes
Utimaco SecurityServer (V4) [2]	yes	yes	no	yes	yes	yes	yes	yes

[1]

Algorithms supported depend on support in OpenSSL on which SoftHSM relies. A command similar to the following may be used to verify what algorithms are supported: $ pkcs11-tool --module /usr/lib64/pkcs11/libsofthsm2.so -M.

[2]

Requires setting the number of background workers to 1!