Use Nitrokey HSM in Docker container

hwiedemann · July 20, 2021, 2:14pm

Hello,
I would like to use a nitrokey hsm in a docker container. I use ubuntu20.04 on my host.
I tried the following Dockerfile as example:

FROM ubuntu
RUN apt update && apt install -y openssl libssl-dev opensc p11-kit pcsc-tools
CMD [ "bash" ]

Then I build the Image:

docker build -t test:latest ./

Run it:

docker run --rm --privileged -v /dev:/dev --cap-add=ALL -it test:latest

And then tried to use it in the container on the bash:

root@a337:/# pkcs15-tool -D
No smart card readers found.

root@a337:/# pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l --pin abcd1234 --list-objects
No slots.

root@a337:/# service pcscd start
root@a337:/# pcsc_scan
Using reader plug'n play mechanism
Scanning present readers...
Waiting for the first reader...
(It does not find a reader, scans for ever)

root@a337:/# p11-kit list-modules
.... It does not list the hsm.

root@a337:/# dmesg | tail
[77730.802622] usb 2-2: new full-speed USB device number 9 using ohci-pci
[77731.119273] usb 2-2: New USB device found, idVendor=20a0, idProduct=4230, bcdDevice= 1.01
[77731.119275] usb 2-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[77731.119276] usb 2-2: Product: Nitrokey HSM
[77731.119277] usb 2-2: Manufacturer: Nitrokey
[77731.119278] usb 2-2: SerialNumber: xxxxx

And I can find the usb in /dev/bus/usb/002/009

If I try all the commands on my host, not in the container, all the commands work.

What do I miss or how do I get it running?

Thanks.

Heike

szszszsz · July 20, 2021, 2:38pm

Hi!

You need to stop the pcscd daemon on the host, because it locks the smart card. Otherwise looks good.

See below for comparison:

GitHub - Nitrokey/opensc-docker at externally-managed-src (updated branch)
GitHub - Nitrokey/opensc-docker: Run OpenSC via Docker (current)
GitHub - Nitrokey/gnupg-docker: Build and use specific GnuPG version using Ubuntu image within Docker's container
GitHub - cremuzzi/docker-opensc: Dockerized OpenSC with pkcs15-init, pkcs11-tool, pkcs15-tool and more. It also comes with libp11 for openssl

Some might be a bit outdated now, but worked at the time.

hwiedemann · July 20, 2021, 5:01pm

Hi,
(files are from the links posted by @szszszsz)

I stoped pcscd as in the “docker-run-command.sh” files:

systemctl stop pcscd pcscd.socket
gpgconf --kill all
killall pcscd scdaemon

Added this line to my Dockerfile:

RUN apt update && apt install -y pcscd

In the container I executed (as showen in the “start-within-container.sh”) :

root@a337:/# pcscd
root@a337:/# pkcs15-tool -D

And it worked!

Thanks a lot for your help @szszszsz !!

sc-hsm · July 21, 2021, 11:34am

You can also run pcscd on the host and only expose the domain socket with

docker ... --mount type=bind,source=/var/run/pcscd,target=/var/run/pcscd ...

In the image you leave out pcscd and have only libpcscd installed.

esumit · May 27, 2022, 2:18am

Installed the following on the docker image :

RUN apt-get install opensc-pkcs11
RUN apt update && apt install -y openssl libssl-dev opensc p11-kit pcsc-tools

but on running

pkcs11-tool -O

No slots.

pkcs15-tool -D

No smart card readers found.

@sc-hsm @saper How to use NitroKey HSM with Docker container ? (exact steps and some technical context would be helpful)

sc-hsm · May 27, 2022, 6:47am

Google is your friend:

esumit · May 30, 2022, 12:21am

Ahha Sorry I missed mentioning that already tried all the steps mentioned in : Use Nitrokey HSM in Docker container, but it didn’t work for me, let me get back to you with more details

saper · June 3, 2022, 4:44pm

@moderators can you merge this into Use Nitrokey HSM in Docker container ?

esumit · June 3, 2022, 9:58pm

Sure @saper , I am still not able to solve the issue, so to merge what action I have to do ?

saper · June 3, 2022, 10:13pm

This was meant for the moderators of this site.

daringer · June 4, 2022, 10:14pm

done