# Install softhsm with Homebrew, apk, dnf, MacPorts, Nix, pacman, zypper

Cryptographic store accessible through a PKCS#11 interface. Version 2.7.0 via Homebrew; verified 2026-07-05.

## Install

```sh
sudo av install brew:softhsm
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install softhsm
```

  Evidence: local Homebrew formula metadata

- MacPorts (94%):

```sh
sudo port install softhsm
```

  Evidence: MacPorts ports tree: security/softhsm/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

### Linux

- apk (92%):

```sh
sudo apk add softhsm
```

  Evidence: Alpine Linux edge package indexes: softhsm from https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz

- dnf (92%):

```sh
sudo dnf install softhsm
```

  Evidence: Fedora Rawhide package metadata: softhsm from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst

- Nix (92%):

```sh
nix profile install nixpkgs#softhsm
```

  Evidence: nixpkgs package indexes: pkgs/by-name/so/softhsm/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- pacman (92%):

```sh
sudo pacman -S softhsm
```

  Evidence: Arch Linux sync databases: softhsm from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz

- zypper (92%):

```sh
sudo zypper install softhsm
```

  Evidence: openSUSE Tumbleweed package metadata: softhsm from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

## Package facts

- **Package key:** brew:softhsm
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/softhsm>
- **Version:** 2.7.0
- **Source summary:** Cryptographic store accessible through a PKCS#11 interface
- **Homepage:** <https://www.softhsm.org/>
- **Repository:** <https://github.com/softhsm/SoftHSMv2>
- **Upstream docs:** <https://github.com/softhsm/SoftHSMv2#readme>
- **License:** BSD-2-Clause
- **Source archive:** <https://github.com/softhsm/SoftHSMv2/archive/refs/tags/2.7.0.tar.gz>
- **Last updated:** 2026-07-05T00:14:30+09:00
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- softhsm2-dump-file (cli)
- softhsm2-keyconv (cli)
- softhsm2-util (cli)
- softhsm2-dump-file (alias)
- softhsm2-keyconv (alias)
- softhsm2-util (alias)

## Dependencies

- openssl@3

## Build dependencies

- autoconf
- automake
- libtool
- pkgconf

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 2.7.0
- Package-manager updated: 2026-07-05
- Local data: ok
- Upstream repository: https://github.com/softhsm/SoftHSMv2
- Upstream latest detected: 2.7.0 (current)
## Project history and usage

SoftHSM is a software implementation of a cryptographic token store exposed through PKCS#11, originally created for OpenDNSSEC and later maintained as a standalone security project.

### Project history

The official SoftHSM site and README both state that SoftHSM began as part of the OpenDNSSEC project. OpenDNSSEC needed to store and handle cryptographic keys through PKCS#11, but requiring a physical hardware security module would have limited who could test or deploy the system.

SoftHSM answered that problem with a software implementation of a generic cryptographic device. Version 2 became the current line, adding stronger handling of sensitive material, unswappable memory support, and a more general crypto backend that can use Botan or OpenSSL.

The SoftHSMv2 GitHub repository was created in 2013 and remains active under the softhsm organization, while the project website points users to GitHub for source code and bug reporting.

### Adoption history

SoftHSM spread beyond OpenDNSSEC because PKCS#11 is a shared interface used by many cryptographic applications. The README explicitly notes that SoftHSM can work with other cryptographic products through that interface.

The package is carried by Homebrew, Alpine, Fedora, MacPorts, Nix, Arch, and openSUSE according to the input package facts, which fits its role as a test and development HSM substitute on Unix-like systems.

### How it is used

Users install the library and command-line utilities, configure the token storage path in softhsm2.conf, initialize tokens with softhsm2-util --init-token, and then point PKCS#11-aware software at the SoftHSM module.

The default configuration file is /etc/softhsm2.conf, and the README documents SOFTHSM2_CONF as an override. Token backup is ordinary file backup of the configured token storage location.

### Why package nerds care

SoftHSM is important to package maintainers because it makes PKCS#11 integration testable without special hardware. That matters for DNSSEC software, TLS tooling, signing infrastructure, CI systems, and applications that support smart cards or hardware security modules.

It is also a classic dependency-package artifact: most users care that the shared module, config file, utility commands, crypto backend, and p11-kit integration land in expected filesystem locations.

### Timeline

- 2000s: SoftHSM is developed as part of OpenDNSSEC to provide a software PKCS#11 device.
- 2013: SoftHSMv2 GitHub repository is created.
- 2010s: SoftHSM version 2 becomes the main documented line with Botan/OpenSSL backend support.
- 2020s: SoftHSM continues as a standalone project with packages across Unix-like package managers.

### Related projects

- OpenDNSSEC: the project SoftHSM was originally built to support.
- PKCS#11: the cryptographic token interface SoftHSM implements.
- Botan and OpenSSL: supported cryptographic backends.
- p11-kit: system integration layer relevant to installing PKCS#11 modules.

### Sources

- current_curation.config-file-location
- <https://api.github.com/repos/softhsm/SoftHSMv2>
- <https://opendnssec.readthedocs.io/en/latest/softhsm2/>
- <https://raw.githubusercontent.com/softhsm/SoftHSMv2/develop/README.md>
- <https://www.softhsm.org/>
- <https://www.softhsm.org/background.html>
- source_facts.package-manager


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals


## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: /etc/softhsm2.conf
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** softhsm
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - softhsm: normalized package name match | nixpkgs package indexes: pkgs/by-name/so/softhsm/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- apk - softhsm - 2.7.0-r0: normalized package name match | Alpine Linux edge package indexes: softhsm from https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz | cryptographic store accessible through a PKCS #11 | https://github.com/softhsm/SoftHSMv2
- apk - softhsm-doc - 2.7.0-r0: normalized package name match | Alpine Linux edge package indexes: softhsm-doc from https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz | cryptographic store accessible through a PKCS #11 (documentation) | https://github.com/softhsm/SoftHSMv2
- apk - softhsm-static - 2.7.0-r0: normalized package name match | Alpine Linux edge package indexes: softhsm-static from https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz | cryptographic store accessible through a PKCS #11 (static library) | https://github.com/softhsm/SoftHSMv2
- dnf - softhsm - 2.7.0-0.1.rc1.fc44.1: normalized package name match | Fedora Rawhide package metadata: softhsm from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | Software version of a PKCS#11 Hardware Security Module | http://www.softhsm.org/
- dnf - softhsm-devel - 2.7.0-0.1.rc1.fc44.1: normalized package name match | Fedora Rawhide package metadata: softhsm-devel from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | Development package of softhsm that includes the header files | http://www.softhsm.org/
- pacman - softhsm - 2.7.0-1: normalized package name match | Arch Linux sync databases: softhsm from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz | Software PKCS#11 store | https://opendnssec.readthedocs.io/en/latest/softhsm2/
- zypper - softhsm - 2.6.1+git.1732869438.f7883c2-2.4: normalized package name match | openSUSE Tumbleweed package metadata: softhsm from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Software version of a PKCS#11 Hardware Security Module | https://www.opendnssec.org/
- zypper - softhsm-devel - 2.6.1+git.1732869438.f7883c2-2.4: normalized package name match | openSUSE Tumbleweed package metadata: softhsm-devel from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Development package of softhsm | https://www.opendnssec.org/
- MacPorts - softhsm: normalized package name match | MacPorts ports tree: security/softhsm/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1


## Related links

- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [Homebrew utility packages](https://www.automicvault.com/pkg/brew-utility-packages/) - Matched Homebrew package provider.
- [openssl@3](https://www.automicvault.com/pkg/brew/openssl-3/) - Runtime dependency declared by Homebrew.
- [autoconf](https://www.automicvault.com/pkg/brew/autoconf/) - Build dependency declared by Homebrew.
- [automake](https://www.automicvault.com/pkg/brew/automake/) - Build dependency declared by Homebrew.
- [libtool](https://www.automicvault.com/pkg/brew/libtool/) - Build dependency declared by Homebrew.
- [pkgconf](https://www.automicvault.com/pkg/brew/pkgconf/) - Build dependency declared by Homebrew.
- [opensc](https://www.automicvault.com/pkg/brew/opensc/) - Shares av.db curated category or tags: cli, cryptography, pkcs11, security.
- [botan](https://www.automicvault.com/pkg/brew/botan/) - Shares av.db curated category or tags: cli, cryptography, security.
- [gnupg-pkcs11-scd](https://www.automicvault.com/pkg/brew/gnupg-pkcs11-scd/) - Shares av.db curated category or tags: cli, cryptography, pkcs11, security.
- [gnutls](https://www.automicvault.com/pkg/brew/gnutls/) - Shares av.db curated category or tags: cli, cryptography, security.
- [hopenpgp-tools](https://www.automicvault.com/pkg/brew/hopenpgp-tools/) - Shares av.db curated category or tags: cli, cryptography, key-management, security.
- [nettle](https://www.automicvault.com/pkg/brew/nettle/) - Shares av.db curated category or tags: cli, cryptography, security.
- [nss](https://www.automicvault.com/pkg/brew/nss/) - Shares av.db curated category or tags: cli, cryptography, security.
- [pkcs11-tools](https://www.automicvault.com/pkg/brew/pkcs11-tools/) - Shares av.db curated category or tags: cli, cryptography, hsm, pkcs11, security.

## Combined YAML source

View the package source record on GitHub. [combined/softhsm.yml](https://github.com/automic-vault/db/blob/main/combined/softhsm.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
