This page covers the instructions to use Qrypt’s quantum entropy to seed PKCS#11 HSMs (Hardware Security Modules).
This service requires an access token. Follow the steps in Getting Started to obtain an access token.
Many of the available HSMs use non-quantum entropy sources. Fortunately, the PKCS#11 Cryptoki interface provides a C_SeedRandom function to inject entropy into a PKCS#11 compliant HSM. Developers can inject Qrypt’s quantum entropy into the HSM using the C_SeedRandom function. As a result, HSM keys can be pseudorandomly generated from quantum entropy.
There are three components to the architecture diagram above.
A REST API can be called for entropy download. More information about the REST API can be found in the Submit a request for entropy section under ‘Quantum Entropy’. You will need a library that can perform HTTPS requests.
C++ sample code using libcurl is provided in the Quickstart. We recommend using environment variables to pass the Qrypt Token into the application.
Requests to the entropy API can only be performed in units of KiB. As a result, there may be random usage inefficiencies. Developers can choose to implement their own buffer management locally for better random utilization.
Sample code in C++ is shown below.
void set_seed_random(CK_SESSION_HANDLE session, CK_BYTE_PTR seed_random) {
// Call Cryptoki interface to seed random
CK_RV rv = C_SeedRandom(session, seed_random, sizeof(seed_random));
if (rv != CKR_OK) {
std::string error_msg = "C_SeedRandom error: " + std::to_string(rv) + "\n";
throw std::runtime_error(error_msg);
}
}
More information about the PKCS#11 Cryptoki interface can be found at Oasis PKCS#11 Specification.