Enabling a Hardware Security Module (HSM)

A hardware security module (HSM) is a physical device that stores, protects, and manages encryption key material. An HSM is often used to do cryptographic processing as well, including the generation of secure cryptographic keys. It is used in a client-server environment, which means that the server and the client each need to be prepared in advance. As with KMIP, the advantage of an HSM is that it protects and stores critical data such as your Admin Key.

Network Requirements and Recommendations

These instructions are built around the SafeNet LUNA SA hardware security module, from Gemalto.

Bandwidth recommendation:
- Minimum: 10 Mbps half duplex
- Recommended: 100 Mbps full duplex
Latency recommendation:
- Maximum: 500 ms
- Recommended: 0.5 ms

Configuring Your KeyControl to Work as an HSM Client

To enable an HSM server in HyTrust DataControl, you need to gather certain information in advance:

the HSM server name
the HSM server username
the HSM server certificate
the Admin password on that server
the partition name on that server
the partition password on that server
the Client name

These appear in the following screen shot:

Enabling an HSM Server

To enable an HSM server, take the following steps. Note that these steps are effective for the entire cluster.

Download the HSM server certificate. You will need this in the next step.

# scp admin@<HSM Server>:server.pem .
Log in to your KeyControl server. Click the Settings icon, and then click HSM Server Settings. Fill in the fields as follows, clicking Save after each entry:
- State: Click to fill the checkbox as Enabled.
- Hostname: Enter the hostname of the HSM server.
- Partition Label: Enter the label for the partition.
- Partition Password: Enter the password for the partition.
- Server Certificate: Browse to and select the server certificate that you downloaded in the previous step.
- Client Name: Enter the name of the client.
Click to download the Client Certificate that matches the Client Name, entered above. Taking the name in the screen shot, we look for KC_Cluster.pem, and then upload it to the HSM server, using its hostname, like this:

# scp /KC_Cluster.pem admin@<HSM-Server>:
Using a shell account, log into the HSM server and delete the previous client if there is one, register the new one, and assign the Partition to this new client, as follows:
- lunash:> client delete -client KC_Cluster
- lunash:> client register -client KC_Cluster -hostname KC_Cluster
- lunash:> client assignPartition -client KC_Cluster -partition KC_partition
Return to your KeyControl HSM Server Settings page, and click Test. You should see a page that shows HSM connection OK. Need to regenerate admin key.
Generate a new Admin Key: click the Settings Icon, then Admin Key Parts > Generate New Key > Test. You should receive the following message showing your success.

Your KeyControl is now set up as an HSM client.

Open topic with navigation