This topic describes how to use the OpenSSL Dynamic Engine. You can use the OpenSSL Dynamic Engine by calling the OpenSSL API in applications.
Prerequisites
Your hardware security module (HSM) is in the Initializing state, and a crypto user (CU) is created. For more information, see Getting started with Cloud Hardware Security Module.
An HSM client (hsm_proxy) is started. For more information, see Getting started with Cloud Hardware Security Module.
OpenSSL supports dynamic engine loading.
You can use the following command to check whether OpenSSL supports dynamic engine loading:
openssl engine -c
If OpenSSL supports dynamic engine loading, a response that is similar to the following information is returned:
"(dynamic) Dynamic engine loading support"
RSA-based encryption and decryption
Run the following command to export environment variables. Replace
HSMusername
with the username of the CU and replacepassword
with the password of the CU.export LD_LIBRARY_PATH=/opt/hsm/lib/:$LD_LIBRARY_PATH
export n3fips_password=<HSMusername>:<password>
Run the following command to enter the interactive mode:
openssl
Run the following command to load the dynamic engine:
engine -t dynamic -pre SO_PATH:/opt/hsm/lib/libhsm_openssl.so -pre ID:hsm_openssl -pre LIST_ADD:1 -pre LOAD
If the command is successfully run, a response that is similar to the following information is returned:
Loaded: (hsm_openssl) Cavium hardware engine support
Run the following command to generate an asymmetric key:
genrsa -engine hsm_openssl
If the command is successfully run, the OpenSSL Dynamic Engine encodes the key handle in the psuedo-PEM format. You can store the key handle in a directory such as
/root/openssl/priv.key
.-----BEGIN RSA PRIVATE KEY----- ****IQIBAAKCAQEAp2R756S3q1/Aa0htOSXovkakVI3ePqkMY4I/AM7j6ZO4lf1b l58v0zUqk8c9Eknf8VclGrMz8vqEOMWWXUM6xc4Jq6HRhBbp/SdqTlSW+6WjYcG3 nMP5PxBIuWLazjS7Mte3n3NSK+qS2jIeUdhr+OPhCdeQfxsDbc9CTz97NNDnoARR 64nZ/mMTBHXW5dkbgOmTE3plCqB0NctTwXgF3C6z+6/vASJEdXseFV7GS5vATNf4 i7uEkIIx0791Ped0+3yoBZ31XuAQKcspEab+z3cRdvjUb0YluYF00WDu3D/5bBYW 0epo6l1r83EhqeAhOviUqQLwMJoLeUxif8RpNQIDAQABAoIBAQDq/Pzu6vz87h8A AAAAAAAA6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8 /O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8 /O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8 /O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8 /O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8 /O7q/PzuAgEAAgEAAgEAAgEA**** -----END RSA PRIVATE KEY-----
Run the following command to export the public key:
rsa -in /root/openssl/priv.key -pubout -out /root/openssl/pub.pem
Run the following command to encrypt a file named
helloworld.txt
:ImportantThis operation must be performed in non-interactive mode. In this example, the file contains the following content: hello world!.
openssl rsautl -encrypt -inkey /root/openssl/pub.pem -pubin -in /root/openssl/helloworld.txt -out /root/openssl/helloworld.txt.enc
Run the following command to decrypt a file named
helloworld.txt.enc
:ImportantThis operation must be performed in interactive mode. Before you perform this operation, make sure that the OpenSSL Dynamic Engine is loaded.
openssl rsautl -decrypt -inkey /root/openssl/priv.key -in /root/openssl/helloworld.txt.enc -out /root/openssl/helloworld.txt.dec