What is PKCS#11?

Nick Smith | 7 December 2018

PKCS#11 defines an API to communicate with cryptographic security tokens such as smart cards, USB keys and Hardware Security Modules (HSMs). Also known as "Cryptoki", PKCS#11 is part of the Public Key Cryptography Standards.

PKCS#11 is a platform-independant API that can be used to manage and consume cryptographic security tokens.

The API allows for the management (creation, modification, deletion) of cryptographic objects on-board the token, including:

  • RSA keys
  • X.509 Certificates
  • Symmetric keys (e.g., AES, 3DES)
  • Elliptic Curve Cryptography (ECC) keys

Software applications can call the API to use these objects for:

  • Encryption/Decryption
  • Digital Signature calculation and verification

PKCS#11 abstracts the specifics of the underlying communication between the application and the token. A typical application software stack using PKCS#11 is shown below.

Software application stack using PKCS#11 library and middleware