diff --git a/pkgs/tools/security/opencryptoki/default.nix b/pkgs/tools/security/opencryptoki/default.nix
new file mode 100644
index 000000000000..9ea9c2f4892b
--- /dev/null
+++ b/pkgs/tools/security/opencryptoki/default.nix
@@ -0,0 +1,38 @@
+{ stdenv, fetchurl, openssl, trousers, automake, autoconf, libtool, bison, flex }:
+
+stdenv.mkDerivation rec {
+  version = "3.2";
+  name = "opencryptoki-${version}";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/opencryptoki/opencryptoki/v${version}/opencryptoki-v${version}.tgz";
+    sha256 = "06r6zp299vxdspl6k65myzgjv0bihg7kc500v7s4jd3mcrkngd6h";
+  };
+
+  buildInputs = [ automake autoconf libtool openssl trousers bison flex ];
+
+  preConfigure = ''
+    substituteInPlace configure.in --replace "chown" "true"
+    substituteInPlace configure.in --replace "chgrp" "true"
+    sh bootstrap.sh --prefix=$out
+  '';
+
+  configureFlags = [ "--disable-ccatok" "--disable-icatok" ];
+
+  makeFlags = "DESTDIR=$(out)";
+
+  # work around the build script of opencryptoki
+  postInstall = ''
+    cp -r $out/$out/* $out
+    rm -r $out/nix
+    '';
+
+  meta = with stdenv.lib; {
+    description = "PKCS#11 implementation for Linux";
+    homepage    = http://opencryptoki.sourceforge.net/;
+    license     = licenses.cpl10;
+    maintainers = [ maintainers.tstrobel ];
+    platforms   = platforms.unix;
+  };
+}
+
diff --git a/pkgs/tools/security/tpm-tools/default.nix b/pkgs/tools/security/tpm-tools/default.nix
index 6e7ff75a6a48..a17bff9e32c8 100644
--- a/pkgs/tools/security/tpm-tools/default.nix
+++ b/pkgs/tools/security/tpm-tools/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, trousers, openssl }:
+{ stdenv, fetchurl, trousers, openssl, opencryptoki }:
 
 let
   version = "1.3.8";
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
     sha256 = "10za1gi89vi9m2lmm7jfzs281h55x1sbbm2bdgdh692ljpq4zsv6";
   };
 
-  buildInputs = [ trousers openssl ];
+  buildInputs = [ trousers openssl opencryptoki ];
 
   meta = with stdenv.lib; {
     description = "Management tools for TPM hardware";
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index c4c4454b5116..d2d12e99eacf 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -1857,6 +1857,8 @@ let
     inherit (pythonPackages) sqlite3;
   };
 
+  opencryptoki = callPackage ../tools/security/opencryptoki { };
+
   opendbx = callPackage ../development/libraries/opendbx { };
 
   opendkim = callPackage ../development/libraries/opendkim { };