SoftHSM2

SoftHSM2 is a simple approach for employing storage encryption with a master key in an HSM, because it stores the keys in place of ownCloud.

Use SoftHSM2 With hsmdaemon

SoftHSM2 can be used with and hsmdaemon to store keys in place of ownCloud; either on the same or a different machine as ownCloud. Because keys are stored with a different owner to ownCloud, it prevents the web server (typically Apache) from directly reading the key material. This helps prevent a malicious actor from reading files, if they can impersonate the web server user. However, it doesn’t help if the malicious actor can manipulate PHP files and run arbitrary code.

If you run SoftHSM2 and hsmdaemon on a different machine on the network, know that the hsmdaemon traffic is not encrypted. In this scenario, the systems administrator would need to setup a secure tunnel to encrypt the traffic.

Install SoftHSM2

If you do not have an HSM-provided PKCS11 library, then you can use SoftHSM2 instead. To do so, follow the instructions for you Linux distribution below.

Installing these two packages also installs /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so, which is a module that we will need later, for interaction with the PKCS11 API.

Install on Debian and Ubuntu

To install SoftHSM2 on either Debian or Ubuntu, run the command below.

sudo apt-get update
sudo apt-get install -y softhsm2 libsofthsm2

Install on openSUSE and SUSE Linux Enterprise Server

To install SoftHSM2, you first have to ensure that you have the official security repository for your server enabled in your server’s repositories list. To check if it is, run the command zypper lr, which will show you output similar to the following:

#  | Alias                     | Name                                    | Enabled | GPG Check | Refresh
---+---------------------------+-----------------------------------------+---------+-----------+--------
 1 | openSUSE-Leap-15.3-1      | openSUSE-Leap-15.3-1                    | No      | ----      | ----
 2 | repo-debug                | Debug Repository                        | No      | ----      | ----
 3 | repo-debug-non-oss        | Debug Repository (Non-OSS)              | No      | ----      | ----
 4 | repo-debug-update         | Update Repository (Debug)               | No      | ----      | ----
 5 | repo-debug-update-non-oss | Update Repository (Debug, Non-OSS)      | No      | ----      | ----
 6 | repo-non-oss              | Non-OSS Repository                      | Yes     | (r ) Yes  | Yes
 7 | repo-oss                  | Main Repository                         | Yes     | (r ) Yes  | Yes
 8 | repo-sle-debug-update     | Update repository with debuginfo for... | No      | ----      | ----
 9 | repo-sle-update           | Update repository with updates from...  | Yes     | (r ) Yes  | Yes
10 | repo-source               | Source Repository                       | No      | ----      | ----
11 | repo-update               | Main Update Repository                  | Yes     | (r ) Yes  | Yes
12 | repo-update-non-oss       | Update Repository (Non-Oss)             | Yes     | (r ) Yes  | Yes
Use the -d flag to show the URI for each repository as well.

If there is no security repository listed, then add it using the following command for openSUSE Leap 15.3:

sudo zypper addrepo \
  --check \
  --refresh \
  --name "openSUSE-Leap-15.3-Security" \
  https://download.opensuse.org/repositories/security/openSUSE_Leap_15.3/security.repo \
  "repo-security"

Running zypper lr again should now display an additional line:

13 | security                 | openSUSE-Leap-15.3-Security             | Yes     | (r ) Yes  | No

For different Leap versions, SUSE Linux Enterprise or openSUSE Tumbleweed, change the name and modify the product part of the URI as listed in the official security repository.

With the repository enabled, install SoftHSM2 by running the following command:

sudo zypper install -y --auto-agree-with-licenses softhsm

Install on Fedora and Red Hat Enterprise Linux and Centos

To install SoftHSM2 on Fedora and Red Hat Enterprise Linux and Centos, run the command below.

sudo yum install --assumeyes softhsm

Check the Configuration File

Once SoftHSM2 is installed, check that the directory specified by directories.tokendir in SoftHSM2’s configuration file exists.

Distribution

Configuration File Location

Tokens Directory

Debian and Ubuntu

/etc/softhsm/softhsm2.conf

/var/lib/softhsm/tokens/

openSUSE and SUSE Linux Enterprise Server

/etc/softhsm2.conf

Fedora and Red Hat Enterprise Linux and Centos

/etc/softhsm2.conf

# SoftHSM v2 configuration file

directories.tokendir = /var/lib/softhsm/tokens/
objectstore.backend = file

# ERROR, WARNING, INFO, DEBUG
log.level = INFO