There are many PKCS#11-over-the-network implementations by the way of an openssl 'engine'. Each HSM manufacturer has its own and each HSM on cloud provider has one too. I recently test the Thales Luna implementation of their .so library as an engine. Ok, it never worked (pb of symbols) but it should work.

But the real blocking point was the price: 25 k/year for 1 key (at the beginning) that's unreasonable. That's nearly the price of a standalone rackable HSM (~30-40k). Ok, we generally need 2 HSM as-a-box for redundancy.

I don't want to use AWS nor Azure for sovereignty considerations. The KMS system and KMIP protocol is a decent proposal. Alas, there is NO openssl implementation of KMIP, yet.

db