HSM - cryptoki - opening sessions overhead

Question

I am having a query regarding sessions with HSM.

I am aware that there is an overhead if you initialise and finalise the cryptoki api for every file you want to encrypt/decrypt.

My queries are,

1. Is there an overhead in opening and closing individual sessions for every file, you want to encrypt/decrypt.(C_Initialize/C_Finalize)

2. How many maximum number of sessions can i have for a HSM simultaneously, with out affecting the performance?

3. Is opening and closing the session for processing individual files the best approach or opening a session and processing multiple files and then closing the session the best approach?

Thanks

Answer 1

First and foremost, PKCS#11 spec has pretty extensive documentation under general overview about threads, applications and sessions.

Secondly, it depends on your HSM hardware and PKCS#11 module implementation. How does your PKCS#11 provider represent slots? Do you use the same key all the time? What are the authentication mechanisms for the key?

1. How to use C_Initialize (and C_Finalize) is extensively covered in the PKCS#11 spec
2. Number of sessions depends on the PKCS#11 implementation, see ulMaxSessionCount in CK_TOKEN_INFO

Try with a single session. Are you sure your bottleneck will be the session handling?