Introduction

This guide describes the integration of the Entrust nShield Hardware Security Module (HSM) with Amazon Web Services KMS External Key Store (XKS).

The HSM is available as an appliance or nShield as a Service (nSaaS). Throughout this guide, the term HSM refers to nShield Solo, nShield Connect, and nShield Edge products.

Product configuration

Entrust tested the integration with the following versions:

Product	Version
Operating System	AWS Linux

Product

Version

Operating System

AWS Linux

Before proceeding with the integration of the AWS XKS and nShield HSM, note that the following section demonstrates an example of using an AWS Linux EC2 instance as the Operating System. However, the choice of Linux distribution environment may vary based on your organization’s preferences and toolset. Adapt the process based on your specific requirements and infrastructure.

Supported nShield hardware and software versions

Entrust successfully tested with the following nShield hardware and software versions:

nShield

Product	Security World Software	Firmware	Netimage	OCS	Module
nSaaS	13.3.2	12.72.1 (FIPS 140-2 certified)	12.80.5	✓	✓
Connect XC	13.3.2	12.50.11 (FIPS 140-2 certified) & 12.72.1 (FIPS 140-2 certified)	12.80.4 & 12.80.5	✓	✓
nShield 5c	13.3.2	13.2.2	13.3.2	✓	✓

Product

Security World Software

Firmware

Netimage

OCS

Softcard

Module

nSaaS

13.3.2

12.72.1 (FIPS 140-2 certified)

12.80.5

✓

Connect XC

13.3.2

12.50.11 (FIPS 140-2 certified) & 12.72.1 (FIPS 140-2 certified)

12.80.4 & 12.80.5

✓

nShield 5c

13.3.2

13.2.2

13.3.2

✓

Requirements

To integrate the HSM and Amazon Web Services KMS External Key Store (XKS), the server must be set up as follows.

The following software must be installed:

nShield Security World software.

Access to AWS KMS XKS Proxy GitHub is required to download Software: https://github.com/aws-samples/aws-kms-xks-proxy/.

This integration uses a public endpoint connectivity for AWS XKS. The following are required:

Your external key store proxy must be reachable at a publicly routable endpoint.
You must obtain a TLS certificate issued by a public certificate authority supported for external key stores. For a list, see https://github.com/aws/aws-kms-xksproxy-api-spec/blob/main/TrustedCertificateAuthorities.
The subject common name (CN) on the TLS certificate must match the domain name in the proxy URI endpoint for the external key store proxy. For example, if the public endpoint is https://myproxy.xks.example.com, the TLS, the CN on the TLS certificate must be myproxy.xks.example.com or *.xks.example.com.
Ensure that any firewalls between AWS KMS and the external key store proxy allow traffic to and from port 443 on the proxy. AWS KMS communicates on port 443 and this value is not configurable.

Familiarize yourself with:

The nShield HSM: Installation Guide and User Guide.
The Amazon Web Services KMS External Key Store (XKS) Documentation https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html.
Your organizational certificate policy and certificate practice statement and a security policy or procedure in place covering administration of the PKI and HSM:
The number and quorum of Administrator cards in the Administrator Card Set (ACS) and the policy for managing these cards.
The number and quorum of operator cards in the operator card set (OCS) and the policy for managing these cards.
The keys protection method: module or OCS.
The level of compliance for the Security World, FIPS 140 Level 3.
Key attributes such as key size, time-out, or need for auditing key usage.

Overview

AWS KMS External Key Store addresses regulatory requirements for storing encryption keys outside the AWS Cloud. With this feature, you can now keep your AWS KMS customer managed keys on your own Entrust nShield Hardware Security Module (HSM) rather than within the AWS data centers.

To enable AWS KMS External Key Store, you will replace the KMS key hierarchy with a new, external root of trust. The root keys will be generated and stored inside your nShield HSM. When encryption or decryption of a data key is required, AWS KMS forwards the request to your nShield HSM via an external key store proxy (XKS proxy) that you manage.

The XKS proxy plays a crucial role in mediating all interactions between AWS KMS and your Entrust nShield HSM. It translates generic AWS KMS requests into a format understandable by your Entrust nShield HSM, facilitating seamless communication between the two.