# p11p -- PKCS #11 proxy performing failover and load balancing p11p is a shared library and a daemon, both running on the same host as a Cryptoki application, intercepting the communication with a cryptographic device (typically a HSM) with the goal of dealing with error handling and load balancing between devices. ASCII art time! +------------------------------------=--------------+ | PC/server/laptop | | | | +----------------------------+ | | | application (process) | +---------------+ | | | | | p11pd | | | | +------------------------+ | | | | | | | p11p-client.so (solib) |--->| +-----------+ | | | | +------------------------+ | | | vendor.so | | | | +----------------------------+ | +-----------+ | | | +------|------- + | +----------------------------------------|----------+ v +-----+ | HSM | +-----+ ## Goals * Detect when a Cryptoki library operation fails and retry the operation, possibly on another cryptographic device. * Provide failover and load balancing between cryptographic devices. * Put some ground between a Cryptoki application and a Cryptoki library. ## Non-goals * Take control over the TCP session between a Cryptoki application and a cryptographic device. Could be accomplished by providing proxying / forwarding of PKCS #11 sessions to a system with access to a PKCS #11 aware cryptographic device. ## Functionality ## Inspiration - [p11-kit https://github.com/p11-glue/p11-kit/] ## Specification ### PKCS #11 #### Supported mechanisms TBD ## Use cases - Migrating from one kind of HSM to another kind of HSM. ## NOTES - apt install p11-kit libp11-dev ## External dependencies TBD ## External documentation - [OASIS PKCS 11 TC](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=pkcs11)