Acala: Enhanced Key Protection Without Complicated Hardware

Acala 2.1.5

Acala is a software HSM emulator that acts as a universal key store as well as a cryptographic service provider. Acala:

  • maintains a central repository for private keys and X.509 certificates
  • and provides a secure environment for cryptographic operations

Acala affords an organization’s servers the functionality of a physical hardware security module (HSM) for a fraction of the cost. It stores each servers’ credentials in a single encrypted file on any designated storage device (e.g., local hard drive, network share, or removable memory device), and provides cryptographic operations to security-enabled programs through a PKCS#11 application programming interface.

Safeguarding Offline Certificate Authority Keys for CSfC
Acala’s software protection of a CA’s sensitive keys, combined with sufficient protection of the system on which both Acala and the certificate authority reside, can enable a low cost solution for an offline certificate authority.

Generating Pre-shared Keys for a IKEv1 VPN
Acala supports the generation of symmetric keys in an IPSEC VPN using IKEv1 deployment.

Securing Keys in a Prototype, Test, or Development CertAgent Effort
Acala allows the quick establishment of a certificate authority for prototype, test, or development purposes without the expense of a true hardware security module.


  • Lowers cost
  • Enhances security
  • Enforces strict password quality requirements
  • Audits all private key operations
  • May be easily deployed and managed
  • Appropriate for oganizations of any size
  • Uses NIST CMVP-validated FIPS 140-2 cryptography and today’s proven standards, including ANSI X.509 and IETF PKIX, TLS, and S/MIME

Technical Specifications

  • Complies with NIST FIPS 140-2 Level 1 requirements
  • Exports a PKCS#11 version 2.20 compliant API
  • Imports and exports PKCS#12, PKCS#7, and ASN.1 DER- encoded X.509 certificates
  • Generates up to 8192-bit RSA and up to 571-bit ECDSA PKCS#10 requests
  • Supports SHA-256, SHA-384, and SHA-512
  • Employs password-protected PKCS#15 PDUs for key storage on local, removable, or network-attached drives, using AES-256 for confidentiality and HMAC-SHA-512 for integrity checking

System Requirements

  • Windows Server 2012 R2 or above
  • Windows 7, 8, 8.1, 10, or above
  • CentOS 6.7 (Linux Kernel 2.6) or above (x64)