PKCS#11
What is PKCS#11?
PKCS#11A standard C API, also called Cryptoki, that lets applications use cryptographic tokens such as hardware security modules and smart cards without depending on a vendor-specific driver.
PKCS#11 (Public-Key Cryptography Standard #11), originally published by RSA Laboratories and now maintained by OASIS, defines a platform-independent C interface, Cryptoki, for accessing cryptographic tokens. The token exposes slots, sessions, and objects (keys, certificates, data), with operations such as C_Sign, C_Encrypt, C_Wrap, and C_DeriveKey performed inside the device so private keys never leave it. PKCS#11 is the de-facto standard for talking to HSMs, smart cards, and TPM-backed stores from TLS servers (OpenSSL via pkcs11-provider), PKI software, code-signing pipelines, and KMIP clients. The current version, PKCS#11 v3.1, adds modern algorithms such as Ed25519, EdDSA, and post-quantum primitives.
● Examples
- 01
OpenSSL using a YubiHSM 2 through pkcs11-provider to sign a TLS certificate request.
- 02
A code-signing CI job calling C_Sign on an AWS CloudHSM-backed key without ever exporting it.
● Frequently asked questions
What is PKCS#11?
A standard C API, also called Cryptoki, that lets applications use cryptographic tokens such as hardware security modules and smart cards without depending on a vendor-specific driver. It belongs to the Cryptography category of cybersecurity.
What does PKCS#11 mean?
A standard C API, also called Cryptoki, that lets applications use cryptographic tokens such as hardware security modules and smart cards without depending on a vendor-specific driver.
How does PKCS#11 work?
PKCS#11 (Public-Key Cryptography Standard #11), originally published by RSA Laboratories and now maintained by OASIS, defines a platform-independent C interface, Cryptoki, for accessing cryptographic tokens. The token exposes slots, sessions, and objects (keys, certificates, data), with operations such as C_Sign, C_Encrypt, C_Wrap, and C_DeriveKey performed inside the device so private keys never leave it. PKCS#11 is the de-facto standard for talking to HSMs, smart cards, and TPM-backed stores from TLS servers (OpenSSL via pkcs11-provider), PKI software, code-signing pipelines, and KMIP clients. The current version, PKCS#11 v3.1, adds modern algorithms such as Ed25519, EdDSA, and post-quantum primitives.
How do you defend against PKCS#11?
Defences for PKCS#11 typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for PKCS#11?
Common alternative names include: Cryptoki, PKCS11.
● Related terms
- cryptography№ 461
Hardware Security Module (HSM)
Tamper-resistant hardware appliance that generates, stores, and uses cryptographic keys without ever exposing the raw key material to the operating system.
- cryptography№ 1178
Trusted Platform Module (TPM)
Standards-based security chip soldered to a mainboard or implemented in firmware that provides hardware-rooted key storage, attestation, and measured boot.
- cryptography№ 1054
Smart Card
A credit-card-sized device with an embedded secure microcontroller that stores credentials and performs cryptographic operations, defined by ISO/IEC 7816 for contact cards.
- cryptography№ 067
Asymmetric Encryption
A cryptographic scheme that uses mathematically linked key pairs — a public key for encryption and a private key for decryption — to enable secure communication without prior secret sharing.