Adding HSM Root-of-Trust to nShield Server

HSM Root-of-Trust provides enhanced protection for the contents of the object store. Root-of-Trust is gained when the HSM provides the cryptographic keys necessary to unlock the object store.

If the HSM cannot be contacted when KeyControl Vault boots, or if the correct keys cannot be located, trust cannot be established with the HSM and KeyControl Vault is not allowed to begin servicing key requests.

Important: Creating an HSM Root-of-Trust is not reversible. Once the HSM Root-of-Trust is enabled, you cannot remove the HSM. Contact Entrust Support to disable it.

  1. Log into the KeyControl Vault Appliance Management webGUI using an account with Security Admin privileges.

  2. In the top menu bar, click Settings.
  3. In the System Settings section, click HSM Server Settings.

  4. On the nShield HSM Server Settings page, select the HSM Root-of-Trust mode that you want to use:

    • Root-of-Trust mode using HWSIG—The hardware signature is used to wrap the HSM configuration file. Unless there is a change to KeyControl Vault's hardware configuration, booting KeyControl Vault will require no user intervention before it can begin servicing requests.

      Virtual machine configuration changes may result in a need to recover the HSM configuration changes. When this happens, the normal KeyControl Vault Masterkey Recovery procedure is used which requires the admin key that had been downloaded when KeyControl Vault was installed.

    • Root-of-Trust mode using Password—The HSM's softcard password is used to wrap the HSM configuration file. When KeyControl Vault boots, the WebGUI will prompt for the HSM password. Only when the password is correctly entered is KeyControl Vault allowed to begin booting.

      The HSM password must be entered on each node of the cluster. For instance, if the entire cluster is restarted, it will only begin servicing requests once the password has been entered on all of then nodes in the cluster.

  5. Select the HSM Root-of-Trust Timeout value in minutes and click Save.

    You can select up to 1440 minutes (1 day).

    Note: If the HSM connection is lost and is still unavailable after the timeout period, KeyControl Vault will be locked down and will not respond to any requests. After resolving the connection issue, reboot the KeyControl Vault node to re-enable it.

    Set the timeout value to 0 to prevent the KeyControl Vault node from being locked down.

  6. Click Apply.