Module Configuration

Each configured PKCS#11 module has its own config file. These files can be placed in various locations. Most importantly each config file specifies the path of the PKCS#11 module to load. A module config file has the following fields:

module:

The filename of the PKCS#11 module to load. This should include an extension like .so

If this value is blank, then the module will be ignored. This can be used in the user configs to override loading of a module specified in the system configuration.

If this is a relative path, then the module will be loaded from the default module directory.

critical:

Set to yes if the module is critical and required to load. If a critical module fails to load or initialize, then the loading process for all registered modules will abort and return an error code.

This argument is optional and defaults to no.

enable-in:

A comma and/or space separated list of names of programs that this module should only be loaded in. The module will not be loaded for other programs using p11-kit. The base name of the process executable should be used here, for example seahorse, ssh.

This is not a security feature. The argument is optional. If not present, then any process will load the module.

disable-in:

A comma and/or space separated list of names of programs that this module should not be loaded in. The module will be loaded for any other programs using p11-kit. The base name of the process executable should be used here, for example firefox, thunderbird-bin.

This is not a security feature. The argument is optional. If not present, then any process will load the module.

Do not specify both enable-in and disable-in for the same module.

Other fields may be present, but it is recommended that field names that are not specified in this document start with a x- prefix.