All Products
Search

This Product

    Key Management Service:Use the OpenSSL dynamic engine

    Document Center

    Key Management Service:Use the OpenSSL dynamic engine

    Last Updated:Nov 17, 2025

    This topic describes how to use the OpenSSL dynamic engine. You can also use the dynamic engine in applications using the OpenSSL programmatic interface.

    Prerequisites

    • The hardware security module (HSM) instance has been initialized, and a crypto user (CU) has been created. For more information, see Quick Start.

    • The HSM client (hsm_proxy) has been started. For more information, see Start the HSM client (hsm_proxy).

    • Before you use the OpenSSL dynamic engine, make sure that OpenSSL supports dynamic engine loading.

      Note

      Only OpenSSL version 1.0.2 is supported.

      You can run the following command to verify that this feature is supported:

       openssl engine -c

      If OpenSSL supports dynamic engine loading, a response similar to the following is returned:

       "(dynamic) Dynamic engine loading support"

    RSA encryption and decryption

    1. Run the following commands to export the environment variables. Replace HSMusername with the CU username and password with the CU password.

      export LD_LIBRARY_PATH=/opt/hsm/lib/:$LD_LIBRARY_PATH
      export n3fips_password=<HSMusername>:<password>

    2. Run the following command to enter interactive mode:

      openssl

    3. Run the following command to load the dynamic engine: 

      engine dynamic -pre SO_PATH:/opt/hsm/lib/libhsm_openssl.so -pre ID:hsm_openssl -pre LIST_ADD:1 -pre LOAD

      If the command is successful, the following response is returned:

      Loaded: (hsm_openssl) Cavium hardware engine support

    4. Run the following command to generate an asymmetric key:

      genrsa -engine hsm_openssl

      If the command is successful, the OpenSSL dynamic engine encodes the key handle into a pseudo-PEM format. You can save this content to a file, such as /root/openssl/priv.key.

      -----BEGIN RSA PRIVATE KEY-----
****IQIBAAKCAQEAp2R756S3q1/Aa0htOSXovkakVI3ePqkMY4I/AM7j6ZO4lf1b
l58v0zUqk8c9Eknf8VclGrMz8vqEOMWWXUM6xc4Jq6HRhBbp/SdqTlSW+6WjYcG3
nMP5PxBIuWLazjS7Mte3n3NSK+qS2jIeUdhr+OPhCdeQfxsDbc9CTz97NNDnoARR
64nZ/mMTBHXW5dkbgOmTE3plCqB0NctTwXgF3C6z+6/vASJEdXseFV7GS5vATNf4
i7uEkIIx0791Ped0+3yoBZ31XuAQKcspEab+z3cRdvjUb0YluYF00WDu3D/5bBYW
0epo6l1r83EhqeAhOviUqQLwMJoLeUxif8RpNQIDAQABAoIBAQDq/Pzu6vz87h8A
AAAAAAAA6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8
/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8
/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8
/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8
/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8
/O7q/PzuAgEAAgEAAgEAAgEA****
-----END RSA PRIVATE KEY-----

    5. Run the following command to export the public key:

      rsa -in /root/openssl/priv.key -pubout -out /root/openssl/pub.pem

    6. Run the following command to encrypt the helloworld.txt file:

      Important

      Perform this operation in non-interactive mode. In this example, the content of the file is `hello world!`.

      openssl rsautl -encrypt -inkey /root/openssl/pub.pem -pubin -in /root/openssl/helloworld.txt -out /root/openssl/helloworld.txt.enc

    7. Run the following command to decrypt the helloworld.txt.enc file:

      Important

      Perform this operation in interactive mode. Make sure that the dynamic engine is loaded.

      openssl rsautl -decrypt -inkey /root/openssl/priv.key -in /root/openssl/helloworld.txt.enc -out /root/openssl/helloworld.txt.dec