I have a Python application which needs to encrypt data. The symmetric keys lying in a separate hardware called HSM.
I have implemented a wrapper in python
pip install python-pkcs11
and set the path to the c-pkcs11-library for initialization.
lib = pkcs11.lib(os.environ['PATH_TO_C-PKCS11_LIB'])
But what next? How can I configure the whole wrapper or the C-library to watch in the HSM for the key?
And how does the app and the HSM communicate? Is it via HTTP?
Appreciate any help
Your question is very broad. Have a look at examples in the documentation. Use get_key to lookup key in HSM and encrypt to encrypt.
Example code encrypting a block of zeroes in CBC mode with zero IV using AES key TEST stored in HSM token DEMO:
import os
import pkcs11
lib = pkcs11.lib(os.environ['PKCS11_MODULE'])
token = lib.get_token(token_label='DEMO')
with token.open(user_pin='1234') as session:
key = session.get_key(key_type=pkcs11.mechanisms.KeyType.AES, label='TEST')
iv = bytes.fromhex('00000000000000000000000000000000')
data = bytes.fromhex('00000000000000000000000000000000')
ciphertext = key.encrypt(data=data, mechanism=pkcs11.mechanisms.Mechanism.AES_CBC, mechanism_param=iv)
print(ciphertext.hex())
You definitely should read the PKCS#11 specification and SDK documentation for your HSM.
Good luck with your project!