May 28th, 2026HSM vendor support:
- Securosys Primus CloudHSM support added.
- Database migrations now run automatically on startup (Postgres), with a flag to disable them.
- Response caching added to the HSM proxy.
hsm-cliis now shipped as a separate image.- HPCS (IBM grep11) library updated to 2.6.11.
May 6th, 2026HSM vendor support:
- IBM EP11 support added: multi-card init, secure-key concept, EdDSA and ECDSA generate/sign, pre-generation.
- Thales HSM support added (including Cloud Luna), with a dedicated runbook.
- OpenCryptoki integration reworked, then removed in favor of the higher-level HSM interface.
- SQLite added as a keystore option, with strict tables and a read-only mode.
- HA SQLite mode added.
- Postgres migrations reorganized into a dedicated subfolder.
- Pre-generation of keys supported on startup, with topup capability.
- Pre-generation supported in
pkcs11-executormode.
- Sign by public key supported as an alternative to signing by
key_id. - Signing integrity verification using ed25519.
- Returned and stored public keys are now compressed.
- New
hsm-clifor HSM operations without a proxy connection. - New
benchcommand on the driver CLI. - Async flow: driver can return pending processes to the proxy REST API.
- Multi-platform
hsm-proxyimages (amd64 and s390x). - Version printed at
hsm-driverandhsm-proxystartup.
January 9th, 2026Operational:
- Documented HSM keystore creation in pregen mode.
- Client cert parsing: customer names containing dots are now accepted.
- Client cert domain handling is now dynamic.
December 22nd, 2025Operational:
- Client stale timeout is now a configurable parameter on
hsm-proxy. - Proxy can drop driver connections that have gone stale.
- IBM runbook updated with HA SQLite instructions.
December 17th, 2025First release of the DFNS HSM signer tracked in this changelog.