I’m working on a project which will use a real HSM (hardware security module) to perform code signing. But getting access to the HSM can be tricky and difficult, and debugging why things don’t work right on the real HSM is not always easy.
So I started out developing against SoftHSM (https://www.softhsm.org/) and it has worked amazingly well!
SoftHSM is fast, easy to use, and pretty simple to setup and try things out with. It’s definitely not secure in how I’m using it, but my goal was just to iron out how to interface to an HSM using fake keys and for that it worked great!
The physical HSM software landscape seems like a horrible mess of an industry. There’s tons of proprietary workflows, exporting keys from one HSM to another is near impossible due to seemingly purposeful interoperability quirks, and HSMs aren’t cheap. Being able to prototype with a software HSM for free was a huge help, I highly recommend it.