Breadcrumbs

Configure Barbican to use Utimaco HSM

  1. Add the below information to the barbican.conf file.

›_ Console

# vi /etc/barbican/barbican.conf

[secretstore]
namespace = barbican.secretstore.plugin
enabled_secretstore_plugins = store_crypto

[crypto]
enabled_crypto_plugins = p11_crypto

[p11_crypto_plugin] 
# Path to Utimaco PKCS11 library 
library_path = /opt/utimaco/lib/libcs_pkcs11_R3.so 

# CryptoUser PIN to login to PKCS11
login = <PKCS11 Slot User PIN> 

# Master KEK label as stored in the HSM 
mkek_label = mkek_utimaco

# Master KEK length in bytes. (integer value)
mkek_length = 32 

# Master HMAC Key label (as stored in the HSM) (string value)
hmac_label = hmac_utimaco

# HSM Slot ID (integer value)
slot_id = 3

encryption_mechanism = CKM_AES_CBC

mkek_utimaco and hmac_utimaco keys will be generated on the Utimaco HSM in slot 3 in the next section of this document.