Skip to content

Request for further testing and revision of guidance on using BIND with AEP Keyper HSMs

Per Support ticket #15888, this is an open-ended request to suggest that we need to further test and potentially revise our documented advice for consumers using AEP Keyper HSMs. Currently the ARM recommends using patched OpenSSL, citing limitations in the pkcs11 libraries provided with these devices.

It would be good to know (and document) whether or not the latest/upgraded Keypers have an improved pkcs11 library implementation that now has full functionality for working with BIND and native pkcs11 HSM support.

The significant use case behind this request is that whilst the modern Keyper HSMs themselves do support ECDSA, BIND using patched OpenSSL to access them does not. (See also #1533 (closed))

====

I suspect that we have not revisited this documentation, neither reviewed any improved pkcs11 implementations by the major HSM manufacturers in some time; we might therefore want to look at some of the other implementations too?

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information