Documentation Index

Fetch the complete documentation index at: https://support.fortanix.com/llms.txt

Use this file to discover all available pages before exploring further.

PKCS#11 Supported Functions and Mechanisms

  • Updated on May 26, 2026
  • Published on Jun 21, 2024
  • 2 minute(s) read
Prev Next

1.0 Introduction

This article describes the functions and mechanisms supported by the PKCS#11 library.

2.0 Assumptions for PKCS11 library

The following are some assumptions for the PKCS#11 library:

  • There are 32 slots in Fortanix HSM, and all have a token that is already initialized. C_InitToken should fail, and the token PIN cannot be changed. You must use the Fortanix-provided authorization key as the PIN.

    • Multiple slots can be advantageous when dealing with multiple groups or endpoints. Basically, you can specify a separate config or pin for each slot during C_Login. Of course, you can always use C_Login and C_Logout with a single slot, but multiple slots can allow you to do the same concurrently.

  • Nobody can log in as a Security Officer (SO). Fortanix returns CKR_PIN_INCORRECT when someone tries to log in as an SO.

  • Session objects are deleted when the session is closed, but if the session is terminated in between, session objects will persist in the backend.

  • All objects are created as private. Fortanix does not support the creation of public objects.

  • Key handles are per-session and cannot be reused across sessions.

  • If C_Digest is called before C_Login, we use the hashing functions from the OpenSSL library to compute the digest locally.

3.0 Supported Mechanisms

The following are the supported mechanisms for the PKCS#11 library:

  • CKM_AES_CBC

  • CKM_AES_CBC_ENCRYPT_DATA

  • CKM_AES_CBC_PAD

  • CKM_AES_CFB128

  • CKM_AES_CMAC

  • CKM_AES_ECB

  • CKM_AES_ECB_ENCRYPT_DATA

  • CKM_AES_GCM

  • CKM_AES_KEY_GEN

  • CKM_AES_OFB

  • CKM_DES2_KEY_GEN

  • CKM_DES3_CBC

  • CKM_DES3_CBC_ENCRYPT_DATA

  • CKM_DES3_CBC_PAD

  • CKM_DES3_ECB

  • CKM_DES3_ECB_ENCRYPT_DATA

  • CKM_DES3_KEY_GEN

  • CKM_DES_CBC

  • CKM_DES_CBC_ENCRYPT_DATA

  • CKM_DES_CBC_PAD

  • CKM_DES_CFB64

  • CKM_DES_ECB

  • CKM_DES_ECB_ENCRYPT_DATA

  • CKM_DES_KEY_GEN

  • CKM_DES_OFB64

  • CKM_ECDH1_DERIVE

  • CKM_ECDSA

  • CKM_ECDSA_KEY_PAIR_GEN

  • CKM_ECDSA_SHA224

  • CKM_ECDSA_SHA256

  • CKM_ECDSA_SHA384

  • CKM_ECDSA_SHA512

  • CKM_EC_EDWARDS_KEY_PAIR_GEN

  • CKM_EDDSA

  • CKM_GENERIC_SECRET_KEY_GEN

  • CKM_RSA_PKCS

  • CKM_RSA_PKCS_KEY_PAIR_GEN

  • CKM_RSA_PKCS_OAEP

  • CKM_RSA_PKCS_PSS

  • CKM_RSA_X_509

  • CKM_SHA_1

  • CKM_SHA_1_HMAC

  • CKM_SHA1_RSA_PKCS

  • CKM_SHA1_RSA_PKCS_PSS

  • CKM_SHA224

  • CKM_SHA224_HMAC

  • CKM_SHA224_RSA_PKCS

  • CKM_SHA224_RSA_PKCS_PSS

  • CKM_SHA256

  • CKM_SHA256_HMAC

  • CKM_SHA256_RSA_PKCS

  • CKM_SHA256_RSA_PKCS_PSS

  • CKM_SHA384

  • CKM_SHA384_HMAC

  • CKM_SHA384_RSA_PKCS

  • CKM_SHA384_RSA_PKCS_PSS

  • CKM_SHA512

  • CKM_SHA512_HMAC

  • CKM_SHA512_RSA_PKCS

  • CKM_SHA512_RSA_PKCS_PSS

  • CKM_RSA_X9_31_KEY_PAIR_GEN

4.0 Exposed Functions

The following table describes the PKCS#11 functions and whether they are supported in a regular Fortanix-Data-Security-Manager (DSM) group:

FUNCTIONS

SUPPORT AGAINST REGULAR DSM GROUPS (non-external groups)

General Purpose Functions

  • C_Finalize

  • C_Initialize

  • C_GetInfo

  • C_GetFunctionList

All supported

Slot and Token Management Functions 

  • C_GetSlotInfo

  • C_GetSlotList

  • C_GetTokenInfo

  • C_WaitForSlotEvent

  • C_GetMechanismInfo

  • C_GetMechanismList

  • C_InitPIN

  • C_InitToken

  • C_SetPIN

Session Management Functions

  • C_GetOperationState

  • C_GetSessionInfo

  • C_Login

  • C_Logout

  • C_OpenSession

  • C_CloseAllSessions

  • C_CloseSession

  • C_SetOperationState

 

All supported except C_GetOperationState

and C_SetOperationState.

Object Management Functions

  • C_CopyObject

  • C_CreateObject

  • C_DestroyObject

  • C_GetObjectSize

  • C_GetAttributeValue

  • C_SetAttributeValue

  • C_FindObjects

  • C_FindObjectsFinal

  • C_FindObjectsInit

 

All supported except C_CopyObject

and C_GetObjectSize.

Encryption/Decryption Functions

  • C_Decrypt

  • C_DecryptFinal

  • C_DecryptInit

  • C_DecryptUpdate

  • C_Encrypt

  • C_EncryptFinal

  • C_EncryptInit

  • C_EncryptUpdate

All supported.

Message Digesting Functions 

  • C_DigestFinal

  • C_DigestInit

  • C_DigestKey

  • C_DigestUpdate

  • C_Digest

All supported except C_DigestKey.

Sign and Verify Functions

  • C_SignFinal

  • C_SignInit

  • C_SignRecover

  • C_SignRecoverInit

  • C_SignUpdate

  • C_Sign

  • C_Verify

  • C_VerifyFinal

  • C_VerifyInit

  • C_VerifyRecover

  • C_VerifyRecoverInit

  • C_VerifyUpdate

All supported except C_SignRecover, C_SignRecoverInit,

C_VerifyRecover and C_VerifyRecoverInit.

Dual Purpose Functions 

  • C_DecryptDigestUpdate

  • C_DecryptVerifyUpdate

  • C_DigestEncryptUpdate

  • C_SignEncryptUpdate

None supported

Key Management Functions 

  • C_GenerateKey

  • C_GenerateKeyPair

  • C_UnwrapKey

  • C_WrapKey

  • C_DeriveKey

All supported

RNG Functions

  • C_SeedRandom

  • C_GenerateRandom

 

All supported

Parallel Function Management Functions

  • C_CancelFunction

  • C_GetFunctionStatus

 

None supported

5.0 Functions Not Supported

The PKCS#11 library does not support the following functions:

  • C_AsyncComplete

  • C_AsyncGetID

  • C_AsyncJoin

  • C_CancelFunction

  • C_CopyObject

  • C_DecapsulateKey

  • C_DecryptDigestUpdate

  • C_DecryptMessage

  • C_DecryptMessageBegin

  • C_DecryptMessageNext

  • C_DecryptVerifyUpdate

  • C_DigestEncryptUpdate

  • C_DigestKey

  • C_EncapsulateKey

  • C_EncryptMessage

  • C_EncryptMessageBegin

  • C_EncryptMessageNext

  • C_GetFunctionStatus

  • C_GetInterface

  • C_GetInterfaceList

  • C_GetObjectSize

  • C_GetOperationState

  • C_GetSessionValidationFlags

  • C_LoginUser

  • C_MessageDecryptFinal

  • C_MessageDecryptInit

  • C_MessageEncryptFinal

  • C_MessageEncryptInit

  • C_MessageSignFinal

  • C_MessageSignInit

  • C_MessageVerifyFinal

  • C_MessageVerifyInit

  • C_SessionCancel

  • C_SetOperationState

  • C_SignEncryptUpdate

  • C_SignMessage

  • C_SignMessageBegin

  • C_SignMessageNext

  • C_SignRecover

  • C_SignRecoverInit

  • C_UnwrapKeyAuthenticated

  • C_VerifyMessage

  • C_VerifyMessageBegin

  • C_VerifyMessageNext

  • C_VerifyRecover

  • C_VerifyRecoverInit

  • C_VerifySignature

  • C_VerifySignatureFinal

  • C_VerifySignatureInit

  • C_VerifySignatureUpdate

  • C_WaitForSlotEvent

  • C_WrapKeyAuthenticated

6.0 Supported Attributes

The following are the supported attributes for the PKCS#11 library:

  • CKA_ID

  • CKA_LABEL

  • CKA_CLASS

  • CKA_TOKEN

  • CKA_VALUE

  • CKA_VALUE_LEN

  • CKA_PRIVATE

  • CKA_EXTRACTABLE

  • CKA_NEVER_EXTRACTABLE

  • CKA_SENSITIVE

  • CKA_ALWAYS_SENSITIVE

  • CKA_KEY_TYPE

  • CKA_MODULUS

  • CKA_MODULUS_BITS

  • CKA_PUBLIC_EXPONENT

  • CKA_EC_PARAMS

  • CKA_EC_POINT

  • CKA_ISSUER

  • CKA_SERIAL_NUMBER

  • CKA_SUBJECT

  • CKA_ALWAYS_AUTHENTICATE

  • CKA_CERTIFICATE_TYPE

  • CKA_ENCRYPT

  • CKA_DECRYPT

  • CKA_SIGN

  • CKA_VERIFY

  • CKA_DERIVE

  • CKA_WRAP

  • CKA_UNWRAP

  • CKA_MODIFIABLE

  • CKA_DESTROYABLE

  • CKA_APPLICATION

  • CKA_START_DATE

  • CKA_END_DATE

  • CKA_LOCAL

  • CKA_KEY_GEN_MECHANISM

  • CKA_OBJECT_ID

  • CKA_PUBLIC_KEY_INFO

Related articles

Platform
Fortanix Armor
Armet AI Key Insight Data Security Manager Confidential Computing Manager
Open Source Platform
Enclave Development Platform®

Solutions
Use Cases
Legacy to Cloud Infrastructure Migration Regulatory Compliance Post-Quantum Readiness Secure, Data-Driven Innovation
Industry
Healthcare Banking & Financial Services Fintech Manufacturing Federal Government

Company
About Us Partners Careers Confidential Computing University Blog FAQ Contact Us Awards Events Webinars Press News Services Media Kit Newsletters

Customers

Resources

Support
Fortanix-logo

4.6

star-ratings

As of August 2025

Request a Demo