View on GitHub


Source of the Azure IoT Identity Service and related services.

Protecting keys via an HSM or TPM

The Keys Service stores cryptographic keys, and allows callers to perform operations with those keys like encrypt, decrypt and sign. The service protects the keys by storing them in HSMs, and ensures that no operations against those keys export the keys to the device's memory.

In order to interact with an HSM, the Keys Service requires a PKCS#11 library for the HSM. There are two properties that must be configured in the /etc/aziot/config.toml file:

pkcs11_lib_path = "<path of the PKCS#11 library>"
pkcs11_base_slot = "<PKCS#11 URI of a slot where dynamically generated keys will be stored>"

Installing and configuring a PKCS#11 library

Verifying the PKCS#11 library was installed and configured correctly

After you've configured the PKCS#11 library, you can test it with pkcs11-tool or p11tool. Since the library has been configured for the Keys Service's aziotks Linux user, ensure that you always use that user when using pkcs11-tool, p11tool, etc. For example, prepend those commands with sudo -Hu aziotks.

($PKCS11_LIB_PATH is the path of the PKCS#11 library that you set as the value of aziot_keys.pkcs11_lib_path in the /etc/aziot/config.toml)

The pages above tell you how to modify the /etc/aziot/config.toml with the details of the PKCS#11 library and the base slot.