Hardware Security Modules with KeyControl

A hardware security module (HSM) is a physical server or PCI card that stores, protects, and manages cryptographic material. An HSM is often used to do cryptographic processing as well, including the generation of secure cryptographic keys. It is used in a client-server environment, which means that the server and the client each need to be prepared in advance. As with KMIP, the advantage of an HSM is that it protects and stores critical data such as your Admin Key and any Key Encryption Keys (KEKs) you have created for your Cloud VM Sets.

You can configure the nodes in your KeyControl cluster to either connect to the HSM using one certificate that they all share or with individual certificates for each node. The KeyControl nodes can also be connected to multiple HSM servers that have been configured as a Safenet HA Group to allow for High Availability. For more information, see Configuring KeyControl as an HSM Client with a Single Cluster Certificate and Configuring KeyControl as an HSM Client with Individual Node Certificates.

Note: If you have a Safenet LUNA SA server with the ipcheck feature enabled, you must use unique node certificates.

KeyControl supports the SafeNet Luna HSM.

Requirements and Recommendations for SafeNet LUNA Servers

  • The first release of KeyControl on the CentOS platform (KeyControl version 5.0) will not support Safenet HA Groups. If you plan to upgrade KeyControl to version 5.0, do not configure KeyControl to connect to multiple HSM servers at this time. If you do so, the configuration will need to be redone after the upgrade.

    Safenet HA Groups will be supported on CentOS in a future KeyControl 5.x release.

  • HyTrust supports all SafeNet LUNA version 7 server releases and all version 6 servers starting with release 6.2.1.

  • Bandwidth recommendation:

    • Minimum: 10 Mbps half duplex
    • Recommended: 100 Mbps full duplex

  • Latency recommendation:

    • Maximum: 500 ms
    • Recommended: 0.5 ms

  • TCP port 1792 is required to establish a trusted connection between KeyControl and SafeNet. The other ports used by SafeNet are:

    • TCP port 22 for SSH (Secure Shell).
    • TCP port 1503 for Remote PED. This is the only configurable port.
    • UDP port 514 for the Syslog service.
    • UDP port 123 for NTP service.
    • UDP ports 161/162 for SNMP service.

For additional details, see your SafeNet documentation.

Related Topics 

 

HyTrust DataControl v 4.3.2

Copyright © 2019 HyTrust, Inc. All Rights Reserved.

Follow us: