Skip to main content
SoftHSM v2 lets you restrict or expand the set of PKCS#11 mechanisms that are advertised by C_GetMechanismList and accepted by C_GetMechanismInfo. This is controlled by the slots.mechanisms option in softhsm2.conf.

Configuration option

# Enable all mechanisms (default)
slots.mechanisms = ALL

# Enable only specific mechanisms
slots.mechanisms = CKM_RSA_PKCS,CKM_RSA_PKCS_KEY_PAIR_GEN,CKM_SHA256_RSA_PKCS

# Disable specific mechanisms, keep all others
slots.mechanisms = -CKM_DES_KEY_GEN,CKM_DES_ECB,CKM_DES_CBC
slots.mechanisms
string
A comma-separated list of PKCS#11 mechanism names. Controls which mechanisms are reported by C_GetMechanismList and permitted for use.Syntax:
ValueEffect
ALLAll supported mechanisms are enabled (default)
CKM_FOO,CKM_BAR,...Only the listed mechanisms are enabled (allowlist)
-CKM_FOO,CKM_BAR,...All mechanisms except the listed ones are enabled (denylist)
Default: ALLUnknown mechanism names are silently ignored. This option applies to all slots.
slots.mechanisms takes precedence over the CKA_ALLOWED_MECHANISMS attribute set on individual key objects.

Allowlist vs. denylist

Allowlist — specify exactly which mechanisms are available: 
# Only RSA operations
slots.mechanisms = CKM_RSA_PKCS_KEY_PAIR_GEN,CKM_RSA_PKCS,CKM_RSA_X_509,CKM_RSA_PKCS_OAEP,CKM_SHA256_RSA_PKCS
Denylist — disable specific mechanisms and keep all others. The value begins with a minus sign (-): 
# Disable legacy DES, keep everything else
slots.mechanisms = -CKM_DES_KEY_GEN,CKM_DES2_KEY_GEN,CKM_DES3_KEY_GEN,CKM_DES_ECB,CKM_DES_CBC
When hardening a deployment, an explicit allowlist is safer than a denylist because newly added mechanisms in future versions are excluded automatically.

Supported mechanisms

The following mechanism names are recognised by SoftHSM v2. Names not in this list are silently ignored.

Digests

Mechanism nameDescription
CKM_MD5MD5 digest
CKM_SHA_1SHA-1 digest
CKM_SHA224SHA-224 digest
CKM_SHA256SHA-256 digest
CKM_SHA384SHA-384 digest
CKM_SHA512SHA-512 digest

HMAC

Mechanism nameDescription
CKM_MD5_HMACHMAC with MD5
CKM_SHA_1_HMACHMAC with SHA-1
CKM_SHA224_HMACHMAC with SHA-224
CKM_SHA256_HMACHMAC with SHA-256
CKM_SHA384_HMACHMAC with SHA-384
CKM_SHA512_HMACHMAC with SHA-512

RSA

Mechanism nameDescription
CKM_RSA_PKCS_KEY_PAIR_GENRSA key pair generation
CKM_RSA_PKCSRSA PKCS#1 v1.5 sign/encrypt
CKM_RSA_X_509Raw RSA (no padding)
CKM_MD5_RSA_PKCSRSA PKCS#1 v1.5 with MD5
CKM_SHA1_RSA_PKCSRSA PKCS#1 v1.5 with SHA-1
CKM_SHA224_RSA_PKCSRSA PKCS#1 v1.5 with SHA-224
CKM_SHA256_RSA_PKCSRSA PKCS#1 v1.5 with SHA-256
CKM_SHA384_RSA_PKCSRSA PKCS#1 v1.5 with SHA-384
CKM_SHA512_RSA_PKCSRSA PKCS#1 v1.5 with SHA-512
CKM_RSA_PKCS_OAEPRSA OAEP encryption
CKM_RSA_AES_KEY_WRAPRSA-AES key wrap
CKM_RSA_PKCS_PSSRSA PSS (raw, no hash)
CKM_SHA1_RSA_PKCS_PSSRSA PSS with SHA-1
CKM_SHA224_RSA_PKCS_PSSRSA PSS with SHA-224
CKM_SHA256_RSA_PKCS_PSSRSA PSS with SHA-256
CKM_SHA384_RSA_PKCS_PSSRSA PSS with SHA-384
CKM_SHA512_RSA_PKCS_PSSRSA PSS with SHA-512

Generic secret

Mechanism nameDescription
CKM_GENERIC_SECRET_KEY_GENGeneric secret key generation

DES

Mechanism nameDescription
CKM_DES_KEY_GENDES key generation
CKM_DES2_KEY_GENDES2 (2-key Triple-DES) key generation
CKM_DES3_KEY_GENDES3 (3-key Triple-DES) key generation
CKM_DES_ECBDES ECB
CKM_DES_CBCDES CBC
CKM_DES_CBC_PADDES CBC with PKCS padding
CKM_DES_ECB_ENCRYPT_DATADES ECB encrypt data (key derivation)
CKM_DES_CBC_ENCRYPT_DATADES CBC encrypt data (key derivation)
CKM_DES3_ECBTriple-DES ECB
CKM_DES3_CBCTriple-DES CBC
CKM_DES3_CBC_PADTriple-DES CBC with PKCS padding
CKM_DES3_ECB_ENCRYPT_DATATriple-DES ECB encrypt data (key derivation)
CKM_DES3_CBC_ENCRYPT_DATATriple-DES CBC encrypt data (key derivation)
CKM_DES3_CMACTriple-DES CMAC
DES and Triple-DES are considered legacy algorithms. Consider disabling all CKM_DES* mechanisms unless they are required for compatibility with existing tokens or applications.

AES

Mechanism nameDescription
CKM_AES_KEY_GENAES key generation
CKM_AES_ECBAES ECB
CKM_AES_CBCAES CBC
CKM_AES_CBC_PADAES CBC with PKCS padding
CKM_AES_CTRAES CTR
CKM_AES_GCMAES GCM
CKM_AES_KEY_WRAPAES key wrap (RFC 3394)
CKM_AES_KEY_WRAP_PADAES key wrap with padding (RFC 5649)
CKM_AES_ECB_ENCRYPT_DATAAES ECB encrypt data (key derivation)
CKM_AES_CBC_ENCRYPT_DATAAES CBC encrypt data (key derivation)
CKM_AES_CMACAES CMAC

DSA

Mechanism nameDescription
CKM_DSA_PARAMETER_GENDSA domain parameter generation
CKM_DSA_KEY_PAIR_GENDSA key pair generation
CKM_DSADSA (raw, no hash)
CKM_DSA_SHA1DSA with SHA-1
CKM_DSA_SHA224DSA with SHA-224
CKM_DSA_SHA256DSA with SHA-256
CKM_DSA_SHA384DSA with SHA-384
CKM_DSA_SHA512DSA with SHA-512

Diffie-Hellman

Mechanism nameDescription
CKM_DH_PKCS_KEY_PAIR_GENDH key pair generation
CKM_DH_PKCS_PARAMETER_GENDH domain parameter generation
CKM_DH_PKCS_DERIVEDH key derivation

EC / ECDSA / ECDH

Mechanism nameDescription
CKM_EC_KEY_PAIR_GENEC key pair generation
CKM_ECDSAECDSA (raw, no hash)
CKM_ECDSA_SHA1ECDSA with SHA-1
CKM_ECDSA_SHA224ECDSA with SHA-224
CKM_ECDSA_SHA256ECDSA with SHA-256
CKM_ECDSA_SHA384ECDSA with SHA-384
CKM_ECDSA_SHA512ECDSA with SHA-512
CKM_ECDH1_DERIVEECDH key derivation

EdDSA

Mechanism nameDescription
CKM_EC_EDWARDS_KEY_PAIR_GENEdwards curve key pair generation (Ed25519/Ed448)
CKM_EDDSAEdDSA signature

GOST R 34

Mechanism nameDescription
CKM_GOSTR3411GOST R 34.11 digest
CKM_GOSTR3411_HMACGOST R 34.11 HMAC
CKM_GOSTR3410_KEY_PAIR_GENGOST R 34.10 key pair generation
CKM_GOSTR3410GOST R 34.10 signature
CKM_GOSTR3410_WITH_GOSTR3411GOST R 34.10 signature with GOST digest

ML-DSA (CRYSTALS-Dilithium)

Mechanism nameDescription
CKM_ML_DSA_KEY_PAIR_GENML-DSA key pair generation
CKM_ML_DSAML-DSA signature

Key derivation utilities

Mechanism nameDescription
CKM_CONCATENATE_DATA_AND_BASEConcatenate data with base key
CKM_CONCATENATE_BASE_AND_DATAConcatenate base key with data
CKM_CONCATENATE_BASE_AND_KEYConcatenate two keys

Examples

Allowlist: RSA and AES only

slots.mechanisms = CKM_RSA_PKCS_KEY_PAIR_GEN,CKM_RSA_PKCS,CKM_RSA_PKCS_OAEP,\
  CKM_SHA256_RSA_PKCS,CKM_SHA384_RSA_PKCS,CKM_SHA512_RSA_PKCS,\
  CKM_SHA256_RSA_PKCS_PSS,CKM_SHA384_RSA_PKCS_PSS,CKM_SHA512_RSA_PKCS_PSS,\
  CKM_AES_KEY_GEN,CKM_AES_CBC,CKM_AES_CBC_PAD,CKM_AES_GCM,CKM_AES_KEY_WRAP

Denylist: disable all legacy DES mechanisms

slots.mechanisms = -CKM_DES_KEY_GEN,CKM_DES2_KEY_GEN,CKM_DES3_KEY_GEN,\
  CKM_DES_ECB,CKM_DES_CBC,CKM_DES_CBC_PAD,\
  CKM_DES_ECB_ENCRYPT_DATA,CKM_DES_CBC_ENCRYPT_DATA,\
  CKM_DES3_ECB,CKM_DES3_CBC,CKM_DES3_CBC_PAD,\
  CKM_DES3_ECB_ENCRYPT_DATA,CKM_DES3_CBC_ENCRYPT_DATA,CKM_DES3_CMAC
Line continuation with \ is not supported by the SoftHSM config parser. The examples above use it for readability only — in a real configuration file, write all mechanism names on a single line.

Build docs developers (and LLMs) love

Get started for freeTalk to us