--- title: "PKCS#11 Supported Functions and Mechanisms" slug: "pkcs11-supported-functions-and-mechanisms" updated: 2026-04-09T10:31:24Z published: 2026-05-26T05:18:34Z --- > ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # PKCS#11 Supported Functions and Mechanisms ## 1.0 Introduction This article describes the functions and mechanisms supported by the PKCS#11 library. ## 2.0 Assumptions for PKCS11 library The following are some assumptions for the PKCS#11 library: - There are 32 slots in Fortanix HSM, and all have a token that is already initialized. `C_InitToken` should fail, and the token PIN cannot be changed. You must use the Fortanix-provided authorization key as the PIN. - Multiple slots can be advantageous when dealing with multiple groups or endpoints. Basically, you can specify a separate config or pin for each slot during `C_Login`. Of course, you can always use `C_Login` and `C_Logout` with a single slot, but multiple slots can allow you to do the same concurrently. - Nobody can log in as a Security Officer (SO). Fortanix returns `CKR_PIN_INCORRECT` when someone tries to log in as an SO. - Session objects are deleted when the session is closed, but if the session is terminated in between, session objects will persist in the backend. - All objects are created as private. Fortanix does not support the creation of public objects. - Key handles are per-session and cannot be reused across sessions. - If `C_Digest` is called before `C_Login`, we use the hashing functions from the OpenSSL library to compute the digest locally. ## 3.0 Supported Mechanisms The following are the supported mechanisms for the PKCS#11 library: - `CKM_AES_CBC` - `CKM_AES_CBC_ENCRYPT_DATA` - `CKM_AES_CBC_PAD` - `CKM_AES_CFB128` - `CKM_AES_CMAC` - `CKM_AES_ECB` - `CKM_AES_ECB_ENCRYPT_DATA` - `CKM_AES_GCM` - `CKM_AES_KEY_GEN` - `CKM_AES_OFB` - `CKM_DES2_KEY_GEN` - `CKM_DES3_CBC` - `CKM_DES3_CBC_ENCRYPT_DATA` - `CKM_DES3_CBC_PAD` - `CKM_DES3_ECB` - `CKM_DES3_ECB_ENCRYPT_DATA` - `CKM_DES3_KEY_GEN` - `CKM_DES_CBC` - `CKM_DES_CBC_ENCRYPT_DATA` - `CKM_DES_CBC_PAD` - `CKM_DES_CFB64` - `CKM_DES_ECB` - `CKM_DES_ECB_ENCRYPT_DATA` - `CKM_DES_KEY_GEN` - `CKM_DES_OFB64` - `CKM_ECDH1_DERIVE` - `CKM_ECDSA` - `CKM_ECDSA_KEY_PAIR_GEN` - `CKM_ECDSA_SHA224` - `CKM_ECDSA_SHA256` - `CKM_ECDSA_SHA384` - `CKM_ECDSA_SHA512` - `CKM_EC_EDWARDS_KEY_PAIR_GEN` - `CKM_EDDSA` - `CKM_GENERIC_SECRET_KEY_GEN` - `CKM_RSA_PKCS` - `CKM_RSA_PKCS_KEY_PAIR_GEN` - `CKM_RSA_PKCS_OAEP` - `CKM_RSA_PKCS_PSS` - `CKM_RSA_X_509` - `CKM_SHA_1` - `CKM_SHA_1_HMAC` - `CKM_SHA1_RSA_PKCS` - `CKM_SHA1_RSA_PKCS_PSS` - `CKM_SHA224` - `CKM_SHA224_HMAC` - `CKM_SHA224_RSA_PKCS` - `CKM_SHA224_RSA_PKCS_PSS` - `CKM_SHA256` - `CKM_SHA256_HMAC` - `CKM_SHA256_RSA_PKCS` - `CKM_SHA256_RSA_PKCS_PSS` - `CKM_SHA384` - `CKM_SHA384_HMAC` - `CKM_SHA384_RSA_PKCS` - `CKM_SHA384_RSA_PKCS_PSS` - `CKM_SHA512` - `CKM_SHA512_HMAC` - `CKM_SHA512_RSA_PKCS` - `CKM_SHA512_RSA_PKCS_PSS` - `CKM_RSA_X9_31_KEY_PAIR_GEN` ## 4.0 Exposed Functions The following table describes the PKCS#11 functions and whether they are supported in a regular Fortanix-Data-Security-Manager (DSM) group: | **FUNCTIONS** | SUPPORT AGAINST REGULAR DSM GROUPS (non-external groups) | | --- | --- | | General Purpose Functions - `C_Finalize` - `C_Initialize` - `C_GetInfo` - `C_GetFunctionList` | All supported | | Slot and Token Management Functions - `C_GetSlotInfo` - `C_GetSlotList` - `C_GetTokenInfo` - `C_WaitForSlotEvent` - `C_GetMechanismInfo` - `C_GetMechanismList` - `C_InitPIN` - `C_InitToken` - `C_SetPIN` | - `C_InitToken` always returns `CKR_PIN_INCORRECT` as Fortanix PKCS#11 library assumes the token to always be initialized. *Refer to*[*Assumptions for PKCS11 library*](/v1/docs/pkcs11-supported-functions-and-mechanisms#assumptions-for-pkcs11-library)*above*. - `C_InitPIN` always returns `CKR_USER_NOT_LOGGED_IN`. *Refer to*[*Assumptions for PKCS11 library*](/v1/docs/pkcs11-supported-functions-and-mechanisms#assumptions-for-pkcs11-library)*above*. - `C_SetPIN` returns `CKR_PIN_INVALID` for read-write sessions and `CKR_SESSION_READ_ONLY` for read-only sessions. *Refer to*[*Assumptions for PKCS11 library*](/v1/docs/pkcs11-supported-functions-and-mechanisms#assumptions-for-pkcs11-library)*above*. - `C_WaitForSlotEvent` unsupported. | | Session Management Functions - `C_GetOperationState` - `C_GetSessionInfo` - `C_Login` - `C_Logout` - `C_OpenSession` - `C_CloseAllSessions` - `C_CloseSession` - `C_SetOperationState` | All supported except `C_GetOperationState` and `C_SetOperationState`. | | Object Management Functions - `C_CopyObject` - `C_CreateObject` - `C_DestroyObject` - `C_GetObjectSize` - `C_GetAttributeValue` - `C_SetAttributeValue` - `C_FindObjects` - `C_FindObjectsFinal` - `C_FindObjectsInit` | All supported except `C_CopyObject` and `C_GetObjectSize`. | | Encryption/Decryption Functions - `C_Decrypt` - `C_DecryptFinal` - `C_DecryptInit` - `C_DecryptUpdate` - `C_Encrypt` - `C_EncryptFinal` - `C_EncryptInit` - `C_EncryptUpdate` | All supported. | | Message Digesting Functions - `C_DigestFinal` - `C_DigestInit` - `C_DigestKey` - `C_DigestUpdate` - `C_Digest` | All supported except `C_DigestKey`. | | Sign and Verify Functions - `C_SignFinal` - `C_SignInit` - `C_SignRecover` - `C_SignRecoverInit` - `C_SignUpdate` - `C_Sign` - `C_Verify` - `C_VerifyFinal` - `C_VerifyInit` - `C_VerifyRecover` - `C_VerifyRecoverInit` - `C_VerifyUpdate` | All supported except `C_SignRecover`, `C_SignRecoverInit`, `C_VerifyRecover` and `C_VerifyRecoverInit`. | | Dual Purpose Functions - `C_DecryptDigestUpdate` - `C_DecryptVerifyUpdate` - `C_DigestEncryptUpdate` - `C_SignEncryptUpdate` | None supported | | Key Management Functions - `C_GenerateKey` - `C_GenerateKeyPair` - `C_UnwrapKey` - `C_WrapKey` - `C_DeriveKey` | All supported | | RNG Functions - `C_SeedRandom` - `C_GenerateRandom` | All supported | | Parallel Function Management Functions - `C_CancelFunction` - `C_GetFunctionStatus` | None supported | ## 5.0 Functions Not Supported The PKCS#11 library does not support the following functions: - `C_AsyncComplete` - `C_AsyncGetID` - `C_AsyncJoin` - `C_CancelFunction` - `C_CopyObject` - `C_DecapsulateKey` - `C_DecryptDigestUpdate` - `C_DecryptMessage` - `C_DecryptMessageBegin` - `C_DecryptMessageNext` - `C_DecryptVerifyUpdate` - `C_DigestEncryptUpdate` - `C_DigestKey` - `C_EncapsulateKey` - `C_EncryptMessage` - `C_EncryptMessageBegin` - `C_EncryptMessageNext` - `C_GetFunctionStatus` - `C_GetInterface` - `C_GetInterfaceList` - `C_GetObjectSize` - `C_GetOperationState` - `C_GetSessionValidationFlags` - `C_LoginUser` - `C_MessageDecryptFinal` - `C_MessageDecryptInit` - `C_MessageEncryptFinal` - `C_MessageEncryptInit` - `C_MessageSignFinal` - `C_MessageSignInit` - `C_MessageVerifyFinal` - `C_MessageVerifyInit` - `C_SessionCancel` - `C_SetOperationState` - `C_SignEncryptUpdate` - `C_SignMessage` - `C_SignMessageBegin` - `C_SignMessageNext` - `C_SignRecover` - `C_SignRecoverInit` - `C_UnwrapKeyAuthenticated` - `C_VerifyMessage` - `C_VerifyMessageBegin` - `C_VerifyMessageNext` - `C_VerifyRecover` - `C_VerifyRecoverInit` - `C_VerifySignature` - `C_VerifySignatureFinal` - `C_VerifySignatureInit` - `C_VerifySignatureUpdate` - `C_WaitForSlotEvent` - `C_WrapKeyAuthenticated` ## 6.0 Supported Attributes The following are the supported attributes for the PKCS#11 library: - `CKA_ID` - `CKA_LABEL` - `CKA_CLASS` - `CKA_TOKEN` - `CKA_VALUE` - `CKA_VALUE_LEN` - `CKA_PRIVATE` - `CKA_EXTRACTABLE` - `CKA_NEVER_EXTRACTABLE` - `CKA_SENSITIVE` - `CKA_ALWAYS_SENSITIVE` - `CKA_KEY_TYPE` - `CKA_MODULUS` - `CKA_MODULUS_BITS` - `CKA_PUBLIC_EXPONENT` - `CKA_EC_PARAMS` - `CKA_EC_POINT` - `CKA_ISSUER` - `CKA_SERIAL_NUMBER` - `CKA_SUBJECT` - `CKA_ALWAYS_AUTHENTICATE` - `CKA_CERTIFICATE_TYPE` - `CKA_ENCRYPT` - `CKA_DECRYPT` - `CKA_SIGN` - `CKA_VERIFY` - `CKA_DERIVE` - `CKA_WRAP` - `CKA_UNWRAP` - `CKA_MODIFIABLE` - `CKA_DESTROYABLE` - `CKA_APPLICATION` - `CKA_START_DATE` - `CKA_END_DATE` - `CKA_LOCAL` - `CKA_KEY_GEN_MECHANISM` - `CKA_OBJECT_ID` - `CKA_PUBLIC_KEY_INFO` Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface. ## Related - [PKCS#11 Library](/clients-pkcs11-library.md) - [Account Client Configurations](/users-guide-account-client-configurations.md) - [Algorithm Support - Strict FIPS Mode](/algorithm-support-strict-fips-mode.md) - [Fortanix DSM with Keyfactor EJBCA (Primekey)](/using-fortanix-data-security-manager-with-keyfactor-ejbca-primekey.md)