All Products
Search
Document Center

Cloud Hardware Security Module (HSM):Use the OpenSSL Dynamic Engine

Last Updated:Dec 05, 2023

This topic describes how to use the OpenSSL Dynamic Engine. You can use the OpenSSL Dynamic Engine by calling the OpenSSL API in applications.

Prerequisites

  • Your hardware security module (HSM) is in the Initializing state, and a crypto user (CU) is created. For more information, see Getting started with Cloud Hardware Security Module.

  • An HSM client (hsm_proxy) is started. For more information, see Getting started with Cloud Hardware Security Module.

  • OpenSSL supports dynamic engine loading.

    You can use the following command to check whether OpenSSL supports dynamic engine loading:

     openssl engine -c

    If OpenSSL supports dynamic engine loading, a response that is similar to the following information is returned:

     "(dynamic) Dynamic engine loading support"

RSA-based encryption and decryption

  1. Run the following command to export environment variables. Replace HSMusername with the username of the CU and replace password with the password of the CU.

    export LD_LIBRARY_PATH=/opt/hsm/lib/:$LD_LIBRARY_PATH
    export n3fips_password=<HSMusername>:<password>
  2. Run the following command to enter the interactive mode:

    openssl
  3. Run the following command to load the dynamic engine:

    engine -t dynamic -pre SO_PATH:/opt/hsm/lib/libhsm_openssl.so -pre ID:hsm_openssl -pre LIST_ADD:1 -pre LOAD

    If the command is successfully run, a response that is similar to the following information is returned:

    Loaded: (hsm_openssl) Cavium hardware engine support
  4. Run the following command to generate an asymmetric key:

    genrsa -engine hsm_openssl

    If the command is successfully run, the OpenSSL Dynamic Engine encodes the key handle in the psuedo-PEM format. You can store the key handle in a directory such as /root/openssl/priv.key.

    -----BEGIN RSA PRIVATE KEY-----
    ****IQIBAAKCAQEAp2R756S3q1/Aa0htOSXovkakVI3ePqkMY4I/AM7j6ZO4lf1b
    l58v0zUqk8c9Eknf8VclGrMz8vqEOMWWXUM6xc4Jq6HRhBbp/SdqTlSW+6WjYcG3
    nMP5PxBIuWLazjS7Mte3n3NSK+qS2jIeUdhr+OPhCdeQfxsDbc9CTz97NNDnoARR
    64nZ/mMTBHXW5dkbgOmTE3plCqB0NctTwXgF3C6z+6/vASJEdXseFV7GS5vATNf4
    i7uEkIIx0791Ped0+3yoBZ31XuAQKcspEab+z3cRdvjUb0YluYF00WDu3D/5bBYW
    0epo6l1r83EhqeAhOviUqQLwMJoLeUxif8RpNQIDAQABAoIBAQDq/Pzu6vz87h8A
    AAAAAAAA6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8
    /O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8
    /O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8
    /O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8
    /O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8
    /O7q/PzuAgEAAgEAAgEAAgEA****
    -----END RSA PRIVATE KEY-----
  5. Run the following command to export the public key:

    rsa -in /root/openssl/priv.key -pubout -out /root/openssl/pub.pem
  6. Run the following command to encrypt a file named helloworld.txt:

    Important

    This operation must be performed in non-interactive mode. In this example, the file contains the following content: hello world!.

    openssl rsautl -encrypt -inkey /root/openssl/pub.pem -pubin -in /root/openssl/helloworld.txt -out /root/openssl/helloworld.txt.enc
  7. Run the following command to decrypt a file named helloworld.txt.enc:

    Important

    This operation must be performed in interactive mode. Before you perform this operation, make sure that the OpenSSL Dynamic Engine is loaded.

    openssl rsautl -decrypt -inkey /root/openssl/priv.key -in /root/openssl/helloworld.txt.enc -out /root/openssl/helloworld.txt.dec