Skip to main content
SoftHSM v2 does not implement cryptographic primitives itself. Instead, it delegates all cryptographic operations to an external library through the CryptoFactory abstraction. You choose which library to use at compile time.

The CryptoFactory abstraction

CryptoFactory is an abstract C++ base class that acts as a factory for all algorithm implementations. The rest of SoftHSM calls only the CryptoFactory interface — it never calls an OpenSSL or Botan API directly. When you build SoftHSM, exactly one concrete subclass is compiled in:
Factory classBackend
OSSLCryptoFactoryOpenSSL
BotanCryptoFactoryBotan
The factory exposes four categories of algorithm objects:
  • SymmetricgetSymmetricAlgorithm() — AES, 3DES
  • AsymmetricgetAsymmetricAlgorithm() — RSA, DSA, ECDSA, ECDH, EdDSA, DH, GOST, ML-DSA
  • HashgetHashAlgorithm() — SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, MD5, GOST R 34.11-94
  • MACgetMacAlgorithm() — HMAC variants, CMAC
A global RNG is also provided via getRNG().
The crypto backend is not pluggable at runtime. It is selected at compile time and baked into the shared library. To switch backends you must recompile SoftHSM.

Available backends

OpenSSL

The default backend. Supports all algorithms including post-quantum ML-DSA (via OpenSSL 3.x) and FIPS 140-2 operation.

Botan

An alternative backend based on the Botan C++ library. Supports all classical algorithms. Does not currently support ML-DSA.

Compile-time backend selection

./configure --with-crypto-backend=openssl   # default
./configure --with-crypto-backend=botan
If --with-crypto-backend is omitted, the build system defaults to OpenSSL.

Algorithm support by backend

AlgorithmOpenSSLBotan
RSAYesYes
DSAYesYes
ECDSAYesYes
ECDHYesYes
EdDSAYesYes
DHYesYes
GOSTYes (if enabled)Yes (if enabled)
ML-DSA (post-quantum)Yes (OpenSSL 3.x)No
AESYesYes
3DESYesYes
SHA-1 / SHA-2 familyYesYes
MD5YesYes
HMACYesYes
CMACYesNo

When to choose each backend

Choose OpenSSL when:
  • You need post-quantum ML-DSA support.
  • You need FIPS 140-2 compliant operation (see FIPS 140-2).
  • You need CMAC.
  • OpenSSL is already a dependency in your environment.
Choose Botan when:
  • Your environment already ships Botan and you want to avoid an OpenSSL dependency.
  • You are comfortable without ML-DSA or CMAC.
If you use Botan, use version 2.6.0 or later. This version introduced performance improvements for public key operations.

Build docs developers (and LLMs) love

Get started for freeTalk to us