Use Nitrokey HSM in Docker container

I would like to use a nitrokey hsm in a docker container. I use ubuntu20.04 on my host.
I tried the following Dockerfile as example:

FROM ubuntu
RUN apt update && apt install -y openssl libssl-dev opensc p11-kit pcsc-tools
CMD [ "bash" ]

Then I build the Image:

docker build -t test:latest ./

Run it:

docker run --rm --privileged -v /dev:/dev --cap-add=ALL -it test:latest

And then tried to use it in the container on the bash:

root@a337:/# pkcs15-tool -D
No smart card readers found.

root@a337:/# pkcs11-tool --module /usr/lib/x86_64-linux-gnu/ -l --pin abcd1234 --list-objects
No slots.

root@a337:/# service pcscd start
root@a337:/# pcsc_scan
Using reader plug'n play mechanism
Scanning present readers...
Waiting for the first reader...
(It does not find a reader, scans for ever)

root@a337:/# p11-kit list-modules
.... It does not list the hsm.

root@a337:/# dmesg | tail
[77730.802622] usb 2-2: new full-speed USB device number 9 using ohci-pci
[77731.119273] usb 2-2: New USB device found, idVendor=20a0, idProduct=4230, bcdDevice= 1.01
[77731.119275] usb 2-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[77731.119276] usb 2-2: Product: Nitrokey HSM
[77731.119277] usb 2-2: Manufacturer: Nitrokey
[77731.119278] usb 2-2: SerialNumber: xxxxx

And I can find the usb in /dev/bus/usb/002/009

If I try all the commands on my host, not in the container, all the commands work.

What do I miss or how do I get it running?




You need to stop the pcscd daemon on the host, because it locks the smart card. Otherwise looks good.

See below for comparison:

Some might be a bit outdated now, but worked at the time.

(files are from the links posted by @szszszsz)

I stoped pcscd as in the “” files:

systemctl stop pcscd pcscd.socket
gpgconf --kill all
killall pcscd scdaemon

Added this line to my Dockerfile:

RUN apt update && apt install -y pcscd

In the container I executed (as showen in the “”) :

root@a337:/# pcscd
root@a337:/# pkcs15-tool -D

And it worked!

Thanks a lot for your help @szszszsz !!

1 Like

You can also run pcscd on the host and only expose the domain socket with

docker ... --mount type=bind,source=/var/run/pcscd,target=/var/run/pcscd ...

In the image you leave out pcscd and have only libpcscd installed.