#openpgp #sequoia #pkcs11


A library for using PKCS #11 devices in an OpenPGP context

4 releases (2 breaking)

0.2.0 Jun 22, 2023
0.1.0 Jun 19, 2023
0.0.2 Jun 18, 2023
0.0.1 Jun 15, 2023

22 downloads per month
Used in openpgp-pkcs11-tools


771 lines


A library to use PKCS #​11 devices in an OpenPGP context.

PKCS #​11 refers to a programming interface to create and manipulate cryptographic tokens.

(See openpgp-pkcs11-tools for a CLI tool based on this library.)

PKCS #​11 specification

PKCS #11 Cryptographic Token Interface Base Specification Version 2.40, OASIS Standard, 14 April 2015

PKCS #11 v2.20: Cryptographic Token Interface Standard, RSA Laboratories, 28 June 2004

PKCS #​11 access libraries

Accessing PKCS #​11 devices requires a (typically vendor-specific) PKCS #​11 dynamic library implementation ("module"). For example, to access the Yubikey PIV application on a Yubikey 5, /usr/lib64/libykcs11.so can be used.

The code in this repository uses cryptoki, a "high-level, Rust idiomatic wrapper crate for PKCS #​11" as a wrapper for these modules:

graph TD
A[openpgp-pkcs11-sequoia] --> B(cryptoki Rust crate)
B -->|uses| C[vendor-specific PKCS#11 library]

click B "https://crates.io/crates/cryptoki"

Devices and software implementations

YubiKey 4/5 (ykcs11)

Key upload limitation

The YubiKey PKCS #​11 driver (ykcs11) appears to not implement the required functionality to upload key material (uploading CKO_PUBLIC_KEY objects is unsupported, but would be needed).

Thus, keys can currently only be uploaded to these cards via the PIV interface.

Nitrokey HSM 2 / SmartCard-HSM-4K


"The SmartCard-HSM is supported by OpenSC, a PKCS#11 and CSP Minidriver middleware for various operating systems."


YubiHSM 2


Nitrokey NetHSM

Available as container image (no security features, just for testing purposes!):


PKCS #​11 driver: https://github.com/Nitrokey/nethsm-pkcs11

"This driver is still an early Proof of Concept implementation that only implements the functions that are necessary for operating TLS servers"

Utimaco SecurityServer simulator


(Presumably under a non-free license; so, possibly can't be used in CI openly (?))


A software implementation of PKCS #​11.



~731K SLoC