Use Nitrokey HSM in Docker container

Nitrokeys
1

Hello,
I would like to use a nitrokey hsm in a docker container. I use ubuntu20.04 on my host.
I tried the following Dockerfile as example:

FROM ubuntu
RUN apt update && apt install -y openssl libssl-dev opensc p11-kit pcsc-tools
CMD [ "bash" ]

Then I build the Image:

docker build -t test:latest ./

Run it:

docker run --rm --privileged -v /dev:/dev --cap-add=ALL -it test:latest

And then tried to use it in the container on the bash:

root@a337:/# pkcs15-tool -D
No smart card readers found.

root@a337:/# pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l --pin abcd1234 --list-objects
No slots.

root@a337:/# service pcscd start
root@a337:/# pcsc_scan
Using reader plug'n play mechanism
Scanning present readers...
Waiting for the first reader...
(It does not find a reader, scans for ever)

root@a337:/# p11-kit list-modules
.... It does not list the hsm.

root@a337:/# dmesg | tail
[77730.802622] usb 2-2: new full-speed USB device number 9 using ohci-pci
[77731.119273] usb 2-2: New USB device found, idVendor=20a0, idProduct=4230, bcdDevice= 1.01
[77731.119275] usb 2-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[77731.119276] usb 2-2: Product: Nitrokey HSM
[77731.119277] usb 2-2: Manufacturer: Nitrokey
[77731.119278] usb 2-2: SerialNumber: xxxxx

And I can find the usb in /dev/bus/usb/002/009

If I try all the commands on my host, not in the container, all the commands work.

What do I miss or how do I get it running?

Thanks.

Heike

2

Hi!

You need to stop the pcscd daemon on the host, because it locks the smart card. Otherwise looks good.

See below for comparison:

Some might be a bit outdated now, but worked at the time.

3

Hi,
(files are from the links posted by @szszszsz)

I stoped pcscd as in the “docker-run-command.sh” files:

systemctl stop pcscd pcscd.socket
gpgconf --kill all
killall pcscd scdaemon

Added this line to my Dockerfile:

RUN apt update && apt install -y pcscd

In the container I executed (as showen in the “start-within-container.sh”) :

root@a337:/# pcscd
root@a337:/# pkcs15-tool -D

And it worked!

Thanks a lot for your help @szszszsz !!

1 Like
4

You can also run pcscd on the host and only expose the domain socket with

docker ... --mount type=bind,source=/var/run/pcscd,target=/var/run/pcscd ...

In the image you leave out pcscd and have only libpcscd installed.

4 Likes
5

Installed the following on the docker image :

RUN apt-get install opensc-pkcs11
RUN apt update && apt install -y openssl libssl-dev opensc p11-kit pcsc-tools

but on running

pkcs11-tool -O

No slots.

pkcs15-tool -D

No smart card readers found.

@sc-hsm @saper How to use NitroKey HSM with Docker container ? (exact steps and some technical context would be helpful)

6

Google is your friend:

7

Ahha Sorry I missed mentioning that already tried all the steps mentioned in : Use Nitrokey HSM in Docker container, but it didn’t work for me, let me get back to you with more details

8

@moderators can you merge this into Use Nitrokey HSM in Docker container ?

9

Sure @saper , I am still not able to solve the issue, so to merge what action I have to do ?

10

This was meant for the moderators of this site.

11

done :+1:

1 Like
12

This is an elegant alternative which avoids your container from having full control of your host by design.

If you would however still have need to expose your USB HSM individually to a container (e.g. for more granular pkcs11 forwarding of an individual HSM), you should replace the docker run [...] --privileged -v /dev:/dev --cap-add=ALL [...] with a less permissive docker run [...] -v /dev/bus/usb/002/009:/dev/bus/usb/002/009 -v /run/udev:/run/udev:ro --device-cgroup-rule="c 189:* rmw" [...] instead. Preferably even in a 1 HSM → 1 hardened container → 1 hardened VM setup.

I have found that pcscd in a container can rely on the host udev in read-only mode, with –device-cgroup-rule permiting all available read,write,mknod actions for the HSM as character device (mayor TTY) group 189:* (ls -l /dev/ttyS*)

1 Like