All Products
Document Center

Use the OpenSSL Dynamic Engine

Last Updated: Apr 08, 2021

This topic describes how to use the OpenSSL Dynamic Engine via command line. You could also use the dynamic engine via OpenSSL programmatic interfaces in your applications.


Before you start using OpenSSL Dynamic Engine, make sure that OpenSSL supports dynamic engine loading.

You can use the following command to verify whether it is supported:

 openssl engine -c

If OpenSSL supports dynamic engine loading, you will get a response that is similar to the following:

 "(dynamic) Dynamic engine loading support"

RSA encryption and decryption procedure

  1. Run the following commands to export environment variables. Replace HSMusername with the username of the CU type user, and replace password with the corresponding password.

    export LD_LIBRARY_PATH=/opt/hsm/lib/:$LD_LIBRARY_PATH
    export n3fips_password=<HSMusername>:<password>
  2. Run the following command to turn on interactive mode:

  3. Run the following commands to load the dynamic engine:

    engine -t dynamic -pre SO_PATH:/opt/hsm/lib/ -pre ID:hsm_openssl -pre LIST_ADD:1 -pre LOAD

    If the command runs successfully, the following response is displayed:

    Loaded: (hsm_openssl) Cavium hardware engine support
  4. Run the following command to generate an asymmetric key:

    genrsa -engine hsm_openssl

    If the command runs successfully, the dynamic OpenSSL engine has a method of encoding the key handle into a format called the fake PEM format. You can store the content in a file path, for example, /root/openssl/priv.key.

    -----END RSA PRIVATE KEY-----
  5. Run the following command to export the public key:

    rsa -in /root/openssl/priv.key -pubout -out /root/openssl/pub.pem
  6. Run the following commands to encrypt a file helloworld.txt:


    This operation must be performed in non-interactive mode. In this example, the content of the file is hello world!

    openssl rsautl -encrypt -inkey /root/openssl/pub.pem -pubin -in /root/openssl/helloworld.txt -out /root/openssl/helloworld.txt.enc
  7. Run the following commands to decrypt a file helloworld.txt.enc:


    This operation must be performed in interactive mode and the dynamic engine must have been loaded.

    rsautl -decrypt -inkey /root/openssl/priv.key -in /root/openssl/helloworld.txt.enc -out /root/openssl/helloworld.txt.dec