--- title: "Fortanix DSM for Kernel Module Signing" slug: "using-fortanix-data-security-manager-for-kernel-module-signing-module-guide" updated: 2026-04-17T17:13:22Z published: 2026-04-17T17:13:22Z --- > ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # Fortanix DSM for Kernel Module Signing ## 1.0 Introduction This article provides step-by-step instructions on how to sign the Linux kernel module files using the sign-file utility, Fortanix-Data-Security-Manager (DSM), and the Fortanix Public-Key Cryptography Standards (PKCS#11) client. When utilizing an external Key Management Service (KMS) such as Fortanix, the sign-file utility offers two alternatives: - Utilize the PKCS#11 URI to transmit the signing request to the remote key. Although this feature might not be accessible in older Linux kernel versions. - Retrieve the signature from the remote key, save it in a file, and supply it as input to the sign-file utility to append it to the file. This document covers the following: - Configuring Fortanix DSM - Setting up the PKCS#11 client in the signing server - Creating kernel signing public certificates - Signing kernel modules using the Fortanix DSM key - Troubleshooting tips ## 2.0 Configure Fortanix DSM A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections: ### 2.1 Signing Up To get started with the Fortanix DSM cloud service, you must register an account at . For example, [https://amer.smartkey.io.](https://amer.smartkey.io.) On-premises customers use the KMS URL, and the SaaS customers can use the URLs as listed [*here*](https://support.fortanix.com/hc/en-us/articles/4406135346068-Fortanix-DSM-SaaS-Global-Availability-Map) based on the application region. *For more information on how to set up the Fortanix DSM, refer to the*[*User's Guide: Sign Up for Fortanix Data Security Manager SaaS*](https://support.fortanix.com/docs/users-guide-sign-up-for-fortanix-data-security-manager-saas)*.* ### 2.2 Creating an Account Access in a web browser and enter your credentials to log in to Fortanix DSM. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_SaaS_Login_page(15).png) **Figure 1: Logging in** *For more information on how to set up an account in Fortanix DSM, refer to the*[*User's Guide: Getting Started with Fortanix Data Security Manager - UI*](https://support.fortanix.com/docs/users-guide-getting-started-with-fortanix-data-security-manager-ui)*.* ### 2.3 Creating a Group Perform the following steps to create a group in the Fortanix DSM: 1. In the DSM left navigation panel, click the **Groups**menu item, and then click**ADD GROUP** to create a new group. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-Group(9).png) **Figure 2: Add groups** 2. On the**Adding new group**page: 1. **Title**: Enter a name for your group. 2. **Description**(optional): Enter a short description of the group. 3. Click **SAVE**to create the new group. The new group is added to the Fortanix DSM successfully. ### 2.4 Creating an Application Perform the following steps to create an application (app) in the Fortanix DSM: 1. In the DSM left navigation panel, click the **Apps**menu item, and then click **ADD APP** to create a new app. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-App(9).png) **Figure 3: Add application** 2. On the **Adding new app**page: 1. **App name**: Enter the name for your application. 2. **ADD DESCRIPTION**(optional): Enter a short description of the application. 3. **Authentication method**: Select the default **API Key**as the authentication method from the drop down menu. *For more information on these authentication methods, refer to the*[*User's Guide: Authentication*](https://support.fortanix.com/docs/users-guide-authentication)*.* 4. **Assigning the new app to groups**: Select the group created in [*Section 2.3: Creating a Group*](/v1/docs/using-fortanix-data-security-manager-for-kernel-module-signing-module-guide#23-creating-a-group)**[](/v1/docs/using-data-security-manager-with-idcentral-key-management#43-creating-a-group)from the list. 3. Click **SAVE**to add the new application. The new application is added to the Fortanix DSM successfully. ### 2.5 Copying the API Key Perform the following steps to copy the API key from the Fortanix DSM: 1. In the DSM left navigation panel, click the **Apps**menu item, and then click the app created in [*Section 2.4: Creating an Application*](/v1/docs/using-fortanix-data-security-manager-for-kernel-module-signing-module-guide#24-creating-an-application)**to go to the detailed view of the app. 2. On the **INFO**tab, click **VIEW API KEY DETAILS**. 3. From the **API Key Details** dialog box, copy the **API Key** of the app to use it later. ### 2.6 Creating a Security Object Perform the following steps to generate an RSA key in the Fortanix DSM: 1. In the DSM left navigation panel, click the **Security Objects**menu item, and then click **ADD SECURITY OBJECT** to create a new security object. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-SO(6).png) **Figure 4: Adding security object** 2. On the **Add new Security Object**page: 1. **Security Object Name**: Enter a name for your security object. 2. **Group**: Select the group as created in [*Section 2.3: Creating a Group*](/v1/docs/using-fortanix-data-security-manager-for-kernel-module-signing-module-guide#23-creating-a-group). 3. Select **GENERATE**. 4. In the **Choose a type** section, select the **RSA** key type. 5. In the **Key Size**section, select the size of the key in bits. 6. In the **Exponent**section, select the value used in RSA key from the drop down menu. 7. In the **Key operations permitted**section, select the required operations to define the actions that can be performed with the cryptographic keys. The key must have a minimum set of permissions, including **Sign**, **Verify**, and **App Manageable**. 8. Ensure to select the **PKCS1v15** signature option for **Encryption** in the **Padding Policy** column. 3. Click **GENERATE** to create the new security object. The new security object is added to the Fortanix DSM successfully. ## 3.0 Set Up Fortanix PKCS#11 Client This section illustrates the procedures for configuring the Fortanix PKCS#11 client on the signing server. ### 3.1 Downloading the Fortanix PKCS#11 Client Download the latest `.so` file for the**[*PKCS#11 client*](https://fortanix.zendesk.com/hc/en-us/sections/4408769080724-PKCS-11) and copy it to the signing server. ### 3.2 Integrating the Fortanix PKCS#11 Client Perform the following steps for integrating the Fortanix PKCS#11 client with the signing server: 1. Install the OpenSSL PKCS#11 engine: 1. For Debian-based Linux distributions (including Ubuntu), run the following command: ```bash sudo apt install libengine-pkcs11-openssl ``` 2. For CentOS, RHEL, or Fedora (with EPEL repository available), run the following command: ```bash yum install engine_pkcs11 ``` 3. Run the following command to verify if the PKCS#11 engine is installed: ```bash adminguy@ubuntu:~$ openssl engine pkcs11 (pkcs11) pkcs11 engine ``` 2. Create an OpenSSL configuration file, such as `openssl.conf`, with the following content: ```bash openssl_conf = openssl_def [openssl_def] engines = engine_section [req] distinguished_name = req_distinguished_name [req_distinguished_name] # empty. [engine_section] pkcs11 = pkcs11_section [pkcs11_section] PIN = file:// engine_id = pkcs11 dynamic_path = MODULE_PATH = init = 0 ``` Here, - `PIN`: Specifies the `pkcs11.conf` file path. For example, `PIN= file:///etc/fortanix/pkcs11.conf` *For more information on creating the pkcs11.conf file, refer to*[*Section 3.3.1: API Key-Based Authentication*](/v1/docs/using-fortanix-data-security-manager-for-kernel-module-signing-module-guide#331-api-key-based-authentication)*.* - `dynamic_path`: Specifies the dynamic path (the file location) of the PKCS#11 engine library that OpenSSL should load. This will be a shared object that implements the PKCS#11 interface. For example, `dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/libpkcs11.so` - `MODULE_PATH`: Sets the module path for a Fortanix PKCS#11 module. This points to a file or library that provides the cryptographic functionality. For example, `MODULE_PATH = /usr/local/lib/fortanix/fortanix_pkcs11_4.36.2530.so` ### 3.3 Creating the PKCS#11 Configuration File You can create and configure the PKCS#11 file for the PKCS#11 client using any of the following authentication methods: - API Key - Certificate #### 3.3.1 API Key-Based Authentication Perform the following steps: 1. Create `/etc/fortanix` directory. 2. Run the following command in `/etc/fortanix` directory to create the configuration file with the parameters listed below: ```bash vi pkcs11.conf ``` ```bash api_endpoint = "" api_key= "" [log] file = "" level = "info" ``` Here, - `api_key`: This is the API key used for authentication. Use the value copied in [*Section 2.5: Copying the API Key*](/v1/docs/using-fortanix-data-security-manager-for-kernel-module-signing-module-guide#25-copying-the-app-uuid). - `api_endpoint`: This parameter defines the endpoint URL to which the PKCS#11 client connects. The default endpoint is**[*https://apps.smartkey.io*](https://apps.smartkey.io), but it can be customized by specifying a different URL. *For more information on the different Fortanix DSM endpoint URLs, refer to*[*Fortanix DSM SaaS Global Availability Map*](https://support.fortanix.com/docs/fortanix-dsm-saas-global-availability-map)*.* - `[log]`: *For more information, refer to*[*PKCS#11 Library: Logging*](https://support.fortanix.com/docs/clients-pkcs11-library#52-logging). #### 3.3.2 Certificate Based Authentication > [!NOTE] > NOTE > > - If you have already completed API key-based authentication, certificate-based authentication is not required. > - If you want to use certificate-based authentication, ensure to follow the steps mentioned in [*Section 3.3.1: API Key-Based Authentication*](/v1/docs/using-fortanix-data-security-manager-for-kernel-module-signing-module-guide#331-api-key-based-authentication) before proceeding. 1. Perform the following steps to create a self-signed certificate with a key in Fortanix DSM: 1. Run the following command to set the Fortanix DSM App UUID: ```bash export FORTANIX_APP_UUID= ``` Where, `<Fortanix DSM App UUID>` is the UUID of the Fortanix DSM app created in [*Section 2.4: Creating an Application*](/v1/docs/using-fortanix-data-security-manager-for-kernel-module-signing-module-guide#24-creating-an-application). 2. Run the following command to set the location of the OpenSSL configuration file: ```bash export OPENSSL_CONF=/location/of/openssl conf file ``` 3. Run the following command to generate a self-signed certificate with key: ```bash openssl req -newkey rsa:2048 -nodes -keyout private.key -x509 -days 365 -out certificate.crt -subj "/C=US/ST=California/L=Mountain View/O=Fortanix, Inc./OU=SE/CN=$FORTANIX _APP_UUID" ``` 2. Run the following OpenSSL command to convert the private key file to PKCS#8 `.pem` format: ```bash openssl pkcs8 -topk8 -in private.key -out private.pem -nocrypt ``` This command will take the input private key file (`private.key`), convert it to PKCS#8 format, and save the result in the output file (`private.pem`). The `-nocrypt` option ensures that the conversion process does not encrypt the private key with a passphrase. 3. After creating the client certificate, upload the client certificate created in *Step 1* to the Fortanix DSM app created in [*Section 2.4: Creating an Application*](/v1/docs/using-fortanix-data-security-manager-for-kernel-module-signing-module-guide#24-creating-an-application). To upload the client certificate, perform the following steps: 1. Go to the detailed view of the Fortanix DSM app and click **Change authentication method.** 2. Select the **Certificate** option to change the authentication method to **Certificate**. 3. Click **SAVE**. 4. On the **Add certificate** dialog box, click **UPLOAD NEW CERTIFICATE** to upload the certificate file or paste the content of the certificate generated in *Step 1*. 5. Select both check boxes to confirm your understanding about the action. 6. Click **UPDATE** to save the changes. 4. Update the PKCS#11 configuration file (`pkcs11.conf`) using the following command and the details provided: ```bash vi pkcs11.conf ``` ```bash api_endpoint = "" cert_file = "" # X.509 PEM client certificate key_file = "" # PKCS#8 PEM client private key app_id = ""       [log] file = "" level = "info" ``` Where,` app_id` is the UUID of the Fortanix DSM app created in [*Section 2.4: Creating an Application*](/v1/docs/using-fortanix-data-security-manager-for-kernel-module-signing-module-guide#24-creating-an-application).*For more information on the*`cert_file`*and*`key_file`*, refer to*[*PKCS#11: Configuration File Format*](https://support.fortanix.com/docs/clients-pkcs11-library#511-configuration-file-format)*.* ## 4.0 Create the Fortanix Kernel Signing Public Certificate Run the following commands to generate the kernel signing public certificate using the PKCS#11 URI from the key located in Fortanix: ```bash export FORTANIX_PKCS11_NUM_SLOTS=1 export OPENSSL_CONF=/location/of/openssl/conf/file openssl req -new -x509 -days 365 -sha256 -engine pkcs11 -keyform engine -key pkcs11:object=KernelSigningRSA -outform der -out Kernelsigningcert.der -subj "/CN=test.example.com" ``` Where, `KernelSigningRSA` is the name of the key created in [*Section 2.6: Creating a Security Object*](/v1/docs/using-fortanix-data-security-manager-for-kernel-module-signing-module-guide#26-creating-a-security-object)*.* > [!NOTE] > NOTE > > - You can modify the subject parameter according to your specific requirements. > - While self-signed certificates are currently in use, you can use CA-signed certificates as well. Alternatively, run the following command if PKCS#11 URI is not supported in your OpenSSL version: ```bash openssl req -engine pkcs11 -keyform engine -new -key 1: -nodes -days 365 -x509 -sha256 -out test.pem -subj "/CN=test.example.com" ``` Where, `<ID>` is the UUID of the Fortanix DSM key created in [*Section 2.6: Creating a Security Object*](/v1/docs/using-fortanix-data-security-manager-for-kernel-module-signing-module-guide#26-creating-a-security-object). ## 5.0 Sign the Fortanix Kernel Modules ### 5.1 Signing Using PKCS#11 URI Perform the following steps only if signing the kernel modules using the PKCS#11 URI. Run the following command to invoke the sign-file utility for signing: ```bash ./sign-file sha256 ``` Where, - `<pkcs11 uri for key>`: Refers to the PKCS#11 URI for the Fortanix DSM key. - `<public certificate>`: Refers to the public certificate used for signing. - `<module file for signing>`: Refers to the kernel module file that you want to sign. - `<destination of signed file>`: Refers to the location where the signed module file will be saved. For example, ```bash ./sign-file sha256 pkcs11:object=KernelSigningRSA?pin-value=file:///etc/fortanix/pkcs11.conf /etc/fortanix/Kernelsigningcert.der /etc/fortanix/mfe_aac_100713218.ko /etc/fortanix/mfe_aac_100713218_signed.ko ``` ### 5.2 Signing Using Signature File Perform the following steps only if signing the kernel modules using a signature file: > [!NOTE] > NOTE > > Ensure that `jq` is installed on the system. 1. Run the following command to obtain the signature from Fortanix using a sample script: ```bash hashbase64=`sha256sum hello.ko | awk '{printf $1}' | xxd -r -p | base64` json='{ "hash_alg": "sha256", "hash": "", "mode": { "PKCS1_V15": {} }, "deterministic_signature": true }' json=$( jq --arg value "$hashbase64" '.hash= $value' <<< "$json") echo $json signature=`curl --location --request POST 'https:///crypto/v1/keys//sign' --header 'Authorization: Basic ' --data "$json" | jq -r '.signature'` echo -n $signature | base64 -d > signature.raw ``` Where, - `<hello.ko>`: Refers to the specific `.ko` file for which you want to obtain the signature. - `<URL>`: Refers to the endpoint where you can access Fortanix DSM for signature retrieval. - `<key UUID>`: Refers to the unique identifier assigned to your Fortanix DSM key. - `<API Key>`: Refers to the authentication key needed for authorization in the curl request. 2. Run the following command to sign: ```bash export FORTANIX_PKCS11_NUM_SLOTS=1 ./sign-file -s ``` Where, For example, ```bash sign-file -s /etc/fortanix/signature.raw sha256 /etc/fortanix/Kernelsigningcert.der /etc/fortanix/hello.ko /etc/fortanix/hello_signed.ko. ``` - `<signature file>`: Refers to the file obtained in *Step 1*. - `<public certificate>`: Refers to the public certificate used for signing. - `<module file for signing>`: Refers to the kernel module file that you want to sign. - `<destination of signed file>`: Refers to the location where the signed module file will be saved. ## 6.0 Troubleshooting If you encounter any issues, *refer to*[*Clients: PKCS#11 Library*](https://support.fortanix.com/docs/clients-pkcs11-library#80-troubleshooting). Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface. ## Related - [Fortanix DSM with SAP](/fortanix-dsm-with-sap.md)