Hardware Security Modules with KeyControl Vault

A hardware security module (HSM) is a physical device that stores, protects, and manages cryptographic material. An HSM is often used to do cryptographic processing as well, including the generation of secure cryptographic keys. It is used in a client-server environment, which means that the server and the client each need to be prepared in advance. One of the advantage of an HSM is that it protects and stores cryptographic keys such as the Admin key or Key Encryption Keys (KEK) you have created for you KMIP or BYOK tenants.

When an HSM is used with BYOK, keys are never stored as plaintext. In-memory keys are also encrypted (wrapped), except for software-protected keys in Azure. When a software-protected key has to be uploaded to Azure, KeyControl Vault unwraps it before upload. For other keys, including hardware-protected keys on Azure, when KeyControl Vault has to upload them to the cloud, it encrypts (wraps) them in the HSM using the master key and the cloud provider's wrapping key before uploading the wrapped keys to the cloud.

KeyControl Vault supports the following HSMs: 

  • nShield HSM

  • nShield as a Service (nSaaS)

  • Luna HSM
  • Luna Cloud HSM

Requirements and Recommendations for nShield HSM Servers

The nShield HSM client version 12.80.4 is included in KeyControl Vault. Only nShield HSMs compatible with the 12.80.4 client are supported. You can also use either the on-premise nShield HSM or nShield as a Service (nSaaS).

For additional details, see your nShield documentation https://nshielddocs.entrust.com or the nShield support site https://nshieldsupport.entrust.com.

 

Requirements and Recommendations for Luna HSM Servers

You can configure the nodes in your KeyControl Vault cluster to either connect to the HSM using one certificate that they all share or with individual certificates for each node. The KeyControl Vault nodes can also be connected to multiple HSM servers that have been configured as an HA Group to allow for High Availability. For more information, see Configuring KeyControl Vault as a Luna HSM Client with a Single Cluster Certificate and Configuring KeyControl Vault as a Luna HSM Client with Individual Node Certificates.

Note: If you have a Luna HSM server with the ipcheck feature enabled, you must use unique node certificates.

  • The Luna client version 10.2 is included in Entrust KeyControl Vault/KeyControl Vault 5.1.2 and greater. Luna client 10.2 is compatible with HSMs running Luna 6.2.1 or higher.

  • Bandwidth recommendation:

    • Minimum: 10 Mbps half duplex
    • Recommended: 100 Mbps full duplex

  • Latency recommendation:

    • Maximum: 500 ms
    • Recommended: 0.5 ms

  • TCP port 1792 is required to establish a trusted connection between KeyControl Vault and Luna. The other ports used are:

    • TCP port 22 for SSH (Secure Shell).
    • TCP port 1503 for Remote PED. This is the only configurable port.
    • UDP port 514 for the Syslog service.
    • UDP port 123 for NTP service.
    • UDP ports 161/162 for SNMP service.

For additional details, see your Luna HSM documentation.

Related Topics