Breadcrumbs

Configure Barbican to use Utimaco HSM

  1. Add the below information to the barbican.conf file.

›_ Console

# vi /etc/barbican/barbican.conf

[secretstore]

namespace = barbican.secretstore.plugin enabled_secretstore_plugins = store_crypto

[crypto]

enabled_crypto_plugins = p11_crypto

[crypto provjeriti]

enabled_crypto_plugins = simple_crypto
[simple_crypto_plugin]

kek = REPLACE_WITH_KEY
[p11_crypto_plugin] 
# Path to Utimaco PKCS11 library 

library_path = /opt/utimaco/lib/libcs_pkcs11_R3.so 
# CryptoUser PIN to login to PKCS11

login = <PKCS11 Slot User PIN> 
# Master KEK label as stored in the HSM 

mkek_label = mkek_utimaco
# Master KEK length in bytes. (integer value)

mkek_length = 32 
# Master HMAC Key label (as stored in the HSM) (string value)

hmac_label = hmac_utimaco
# HSM Slot ID (integer value)

slot_id = 3

encryption_mechanism = CKM_AES_CBC

mkek_utimaco and hmac_utimaco keys will be generated on the Utimaco HSM in slot 3 in the next section of this document.