A Besu plugin that provides a custom security module to load the node key from an HSM, such as SoftHSM, using PKCS11 libraries.
You can either use pre-built jar from Assets section in releases or build it yourself.
Note
This project requires Java 21 or later. If it is not available, the gradle build will attempt to download one and use it.
- Check Besu releases for latest stable version and update it in
gradle/libs.versions.toml. For example:
[versions]
besu = "24.8.0"- Build the plugin:
./gradlew clean buildThe plugin jar will be available at build/libs/besu-pkcs11-plugin-<version>.jar.
Drop the besu-pkcs11-plugin-<version>.jar in the /plugins folder under Besu installation. This plugin will expose
following additional cli options:
--plugin-pkcs11-hsm-config-path=<path>
Path to the PKCS11 configuration file
--plugin-pkcs11-hsm-key-alias=<label>
Alias or label of the private key that is stored in the HSM
--plugin-pkcs11-hsm-password-path=<path>
Path to the file that contains password or PIN to access PKCS11 tokenThe security module provided by this plugin can be loaded with following cli option:
--security-module=pkcs11-hsm- The plugin can be tested as a docker image. The provided
Dockerfileis based on Besu's official docker image. It installs following additional package to manage SECP256K1 private keys and SoftHSM:
apt-get install -y --no-install-recommends \
openssl \
libssl3 \
softhsm2 \
opensc \
gnutls-bin
- The Dockerfile uses a custom script
entrypoint.shas entrypoint. This script initializes SoftHSM and generates a private key if required. - The Dockerfile copies the plugin jar to
/pluginsfolder. - See Besu documentation for further details about other docker options required to run Besu.
- See the sample Besu config file that defines minimal options required to use the plugin.
- Following is an example to build the docker image:
docker build --no-cache -t besu-pkcs11:latest .- To run Besu node for testing with SoftHSM, Following directories be mounted as volumes.
Change the path according to your requirements:
./docker/volumes/datafor Besu data. It should be mounted to/var/lib/besu./docker/volumes/tokensfor SoftHSM data. It should be mounted to/var/lib/tokens./docker/volumes/configfor Besu and PKCS11 config files. It MUST be mounted to/etc/besu/config. This directory contains the sample configurations.
Note
To initialize the SoftHSM tokens, the entrypoint script will attempt to generate a SECP256K1 private key and
initialize SoftHSM on the first run. The SoftHSM PIN is defined in ./docker/volumes/config/pkcs11-hsm-password.txt.
The SO_PIN can be overridden via environment variable, however, it is not required once initialization is done.
- To run the Besu node:
docker run --rm -it \
-v ./docker/volumes/data:/var/lib/besu \
-v ./docker/volumes/tokens:/var/lib/tokens \
-v ./docker/volumes/config:/etc/besu/config \
besu-pkcs11:latest --config-file=/etc/besu/config/besu-dev.tomlLicensed under either of
- Apache License, Version 2.0, (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
- MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)
at your option.
SPDX-License-Identifier: (Apache-2.0 OR MIT)
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.