Probably a bit of a long shot but has anyone here written an HSM Go client before? Preferably against AWS' CloudHSM service?

<p>Looking for some examples, not finding anything concrete really. My use case is that I need to decrypt data using a private key stored in CloudHSM. </p> <p>There&#39;s the official AWS CloudHSM API which appears to only support CRUD operations on an HSM cluster itself, not actually leveraging one for encryption/decryption operations: <a href="https://docs.aws.amazon.com/sdk-for-go/api/service/cloudhsmv2/">https://docs.aws.amazon.com/sdk-for-go/api/service/cloudhsmv2/</a></p> <p>There&#39;s also this library which appears to work with many different HSMs, CloudHSM included: <a href="https://github.com/miekg/pkcs11">https://github.com/miekg/pkcs11</a></p> <p>If anyone has some working code they could share here, that would be great. Any advice on this is welcome.</p> <hr/>**评论：**<br/><br/>gxti: <pre><p>The pkcs11 library does what you want. You can start out with the p11 subpackage -- it has a tidier interface but doesn&#39;t expose 100% of the low-level API.</p> <p>This package is also helpful: <a href="https://github.com/ThalesIgnite/crypto11" rel="nofollow">https://github.com/ThalesIgnite/crypto11</a> -- it provides the right Signer/Decrypter interfaces that let you interoperate with other Go libraries if you&#39;re trying to drop in a HSM where you would normally just have a private key object. It&#39;s a wrapper around the other one.</p> <p>As far as the actual PKCS#11 provider, that part comes from a package you download and install from AWS. <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/pkcs11-library-install.html" rel="nofollow">https://docs.aws.amazon.com/cloudhsm/latest/userguide/pkcs11-library-install.html</a></p></pre>