Adding HSM Root-of-Trust to nShield Server

HSM Root-of-Trust provides enhanced protection for the contents of the object store. Root-of-Trust is gained when the HSM provides the cryptographic keys necessary to unlock the object store.

If the HSM cannot be contacted when KeyControl boots, or if the correct keys cannot be located, trust cannot be established with the HSM and KeyControl is not allowed to begin servicing key requests.

Important: Creating an HSM Root-of-Trust is not reversible. Once the HSM Root-of-Trust is enabled, you cannot remove the HSM. Contact Entrust Support to disable it.

  1. Log into the KeyControl Vault Management webGUI using an account with Security Admin privileges.

  2. In the top menu bar, click Settings.
  3. In the System Settings section, click HSM Server Settings.

  4. On the nShield HSM Server Settings page, select the HSM Root-of-Trust mode that you want to use:

    • Root-of-Trust mode using HWSIG—The hardware signature is used to wrap the HSM configuration file. Unless there is a change to KeyControl's hardware configuration, booting KeyControl will require no user intervention before it can begin servicing requests.

      Virtual machine configuration changes may result in a need to recover the HSM configuration changes. When this happens, the normal KeyControl Masterkey Recovery procedure is used which requires the admin key that had been downloaded when KeyControl was installed.

    • Root-of-Trust mode using Password—The HSM's softcard password is used to wrap the HSM configuration file. When KeyControl boots, the WebGUI will prompt for the HSM password. Only when the password is correctly entered is KeyControl allowed to begin booting.

      The HSM password must be entered on each node of the cluster. For instance, if the entire cluster is restarted, it will only begin servicing requests once the password has been entered on all of then nodes in the cluster.

  5. Select the HSM Root-of-Trust Timeout value in minutes and click Save.

    You can select up to 1440 minutes (1 day).

    Note: If the a node is unable to connect to any HSM server, and still cannot connect after the timeout period, that KeyControl node will be locked down and will not respond to any requests via the webGUI or API. Diagnostic logs are available from the system console using the KeyControl System Console. After resolving the connection issue, reboot the KeyControl node to re-enable it.

    When using the System Console to download the diagnostic logs, you will see the message “KeyControl Vault not initialised yet. Proceeding may potentially leave the system unusable.” This is expected, and enabling the htrestricted account will not cause a problem.

  6. Click Apply.