Adding HSM Root-of-Trust to nShield Server

HSM Root-of-Trust provides enhanced protection for the contents of the object store. Root-of-Trust is gained when the HSM provides the cryptographic keys necessary to unlock the object store.

If the HSM cannot be contacted when Cryptographic Security Platform Vault boots, or if the correct keys cannot be located, trust cannot be established with the HSM and Cryptographic Security Platform Vault is not allowed to begin servicing key requests.

Important: Creating an HSM Root-of-Trust is not reversible. Once the HSM Root-of-Trust is enabled, you cannot remove the HSM. Contact Entrust Support to disable it.

  1. Log into the Cryptographic Security Platform Vault Management webGUI using an account with Security Admin privileges.
  2. In the top right, click the Switch to Appliance Management link.
  3. In the top menu bar, click Settings.
  4. In the System Settings section, click HSM Server Settings.

  5. On the nShield HSM Server Settings page, select the HSM Root-of-Trust mode that you want to use:

    • Root-of-Trust mode using HWSIG—The hardware signature is used to wrap the HSM configuration file. Unless there is a change to Cryptographic Security Platform Vault's hardware configuration, booting Cryptographic Security Platform Vault will require no user intervention before it can begin servicing requests.

      Virtual machine configuration changes may result in a need to recover the HSM configuration changes. When this happens, the normal Cryptographic Security Platform Vault Masterkey Recovery procedure is used which requires the admin key that had been downloaded when Cryptographic Security Platform Vault was installed.

    • Root-of-Trust mode using Password—The HSM's softcard password is used to wrap the HSM configuration file. When Cryptographic Security Platform Vault boots, the WebGUI will prompt for the HSM password. Only when the password is correctly entered is Cryptographic Security Platform Vault allowed to begin booting.

      The HSM password must be entered on each node of the cluster. For instance, if the entire cluster is restarted, it will only begin servicing requests once the password has been entered on all of then nodes in the cluster.

  6. Select the HSM Root-of-Trust Timeout value in minutes and click Save.

    You can select up to 1440 minutes (1 day).

    Note: If the node is unable to connect to any HSM server, and still cannot connect after the timeout period, that Cryptographic Security Platform Vault node will be locked down and will not respond to any requests via the webGUI or API. Diagnostic logs are available from the system console using the Cryptographic Security Platform Vault System Console. After resolving the connection issue, reboot the Cryptographic Security Platform Vault node to re-enable it.

    When using the System Console to download the diagnostic logs, you will see the message “Cryptographic Security Platform Vault not initialised yet. Proceeding may potentially leave the system unusable.” This is expected, and enabling the htrestricted account will not cause a problem.

  7. Click Apply.