A Besu plugin that provides a custom security module to load the node key from an HSM, such as SoftHSM, using PKCS11 libraries.
You can either use pre-built jar from Assets section in releases or build it yourself.
[!NOTE] This project requires Java 21 or later. If it is not available, the gradle build will attempt to download one and use it.
gradle/libs.versions.toml
. For example:[versions]
besu = "24.8.0"
./gradlew clean build
The plugin jar will be available at build/libs/besu-pkcs11-plugin-<version>.jar
.
Drop the besu-pkcs11-plugin-<version>.jar
in the /plugins
folder under Besu installation. This plugin will expose
following additional cli options:
--plugin-pkcs11-hsm-config-path=<path>
Path to the PKCS11 configuration file
--plugin-pkcs11-hsm-key-alias=<label>
Alias or label of the private key that is stored in the HSM
--plugin-pkcs11-hsm-password-path=<path>
Path to the file that contains password or PIN to access PKCS11 token
The security module provided by this plugin can be loaded with following cli option:
--security-module=pkcs11-hsm
Dockerfile
is based on Besu's official docker image.
It installs following additional package to manage SECP256K1 private keys and SoftHSM:apt-get install -y --no-install-recommends \
openssl \
libssl3 \
softhsm2 \
opensc \
gnutls-bin
entrypoint.sh
as entrypoint. This script
initializes SoftHSM and generates a private key if required./plugins
folder.docker build --no-cache -t besu-pkcs11:latest .
./docker/volumes/data
for Besu data. It should be mounted to /var/lib/besu
./docker/volumes/tokens
for SoftHSM data. It should be mounted to /var/lib/tokens
./docker/volumes/config
for Besu and PKCS11 config files. It MUST be mounted to /etc/besu/config
. This directory contains the sample configurations.[!NOTE] To initialize the SoftHSM tokens, the entrypoint script will attempt to generate a SECP256K1 private key and initialize SoftHSM on the first run. The SoftHSM
PIN
is defined in./docker/volumes/config/pkcs11-hsm-password.txt
. TheSO_PIN
can be overridden via environment variable, however, it is not required once initialization is done.
docker run --rm -it \
-v ./docker/volumes/data:/var/lib/besu \
-v ./docker/volumes/tokens:/var/lib/tokens \
-v ./docker/volumes/config:/etc/besu/config \
besu-pkcs11:latest --config-file=/etc/besu/config/besu-dev.toml
Licensed under either of
at your option.
SPDX-License-Identifier: (Apache-2.0 OR MIT)
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.