if anyone wants an open source HSM on the cheap based on a raspberry pi that is pkcs11 compatible, check out the picohsm project https://www.picokeys.com/pico-hsm/
This definitely seems useful, but it's arguably not an HSM. It's literally downloadable software! (You wouldn't download an HSM.)
HSMs of course also run software, but they usually provide at least some level of hardening against physical attacks. In other words, it shouldn't be possible to just extract key from them. Is that the case here?
I think it would be more honest to call this a (possibly hardened) key server/service. Often, that's all people want from an HSM! But sometimes it isn't (whether for compliance or other reasons).
> RSA key length (bits) Average time (seconds)
> 1024 16
> 2048 124
> 3072 600
> 4096 ~1000
That must be a typo, that they mean milli seconds - right? Otherwise this seems too slow to do anything useful?