> ## Documentation Index
> Fetch the complete documentation index at: https://docs.dfns.co/llms.txt
> Use this file to discover all available pages before exploring further.

# HSM driver

> Release notes for the DFNS HSM driver: vendor support, keystore changes, key pre-generation, and operational tooling.

Current release: **v0.1.46**.

<Update label="v0.1.46" tags={["New Feature", "Operational", "Security"]}>
  *May 28th, 2026*

  **HSM vendor support:**

  * Securosys Primus CloudHSM support added.

  **Operational:**

  * Database migrations now run automatically on startup (Postgres), with a flag to disable them.
  * Response caching added to the HSM proxy.
  * `hsm-cli` is now shipped as a separate image.
  * HPCS (IBM grep11) library updated to 2.6.11.
</Update>

<Update label="v0.1.43" tags={["New Feature", "Operational"]}>
  *May 6th, 2026*

  **HSM vendor support:**

  * IBM EP11 support added: multi-card init, secure-key concept, EdDSA and ECDSA generate/sign, pre-generation.
  * Thales HSM support added (including Cloud Luna), with a dedicated runbook.
  * OpenCryptoki integration reworked, then removed in favor of the higher-level HSM interface.

  **Keystore:**

  * SQLite added as a keystore option, with strict tables and a read-only mode.
  * HA SQLite mode added.
  * Postgres migrations reorganized into a dedicated subfolder.

  **Key pre-generation:**

  * Pre-generation of keys supported on startup, with topup capability.
  * Pre-generation supported in `pkcs11-executor` mode.

  **Signing:**

  * Sign by public key supported as an alternative to signing by `key_id`.
  * Signing integrity verification using ed25519.
  * Returned and stored public keys are now compressed.

  **Operational:**

  * New `hsm-cli` for HSM operations without a proxy connection.
  * New `bench` command on the driver CLI.
  * Async flow: driver can return pending processes to the proxy REST API.
  * Multi-platform `hsm-proxy` images (amd64 and s390x).
  * Version printed at `hsm-driver` and `hsm-proxy` startup.
</Update>

<Update label="v0.1.22" tags={["Operational", "Bug Fix"]}>
  *January 9th, 2026*

  **Operational:**

  * Documented HSM keystore creation in pregen mode.

  **Bug Fixes:**

  * Client cert parsing: customer names containing dots are now accepted.
  * Client cert domain handling is now dynamic.
</Update>

<Update label="v0.1.21" tags={["Operational"]}>
  *December 22nd, 2025*

  **Operational:**

  * Client stale timeout is now a configurable parameter on `hsm-proxy`.
  * Proxy can drop driver connections that have gone stale.
  * IBM runbook updated with HA SQLite instructions.
</Update>

<Update label="v0.1.19" tags={["Initial Release"]}>
  *December 17th, 2025*

  First release of the DFNS HSM signer tracked in this changelog.
</Update>