Introduction

This document describes the integration of BeyondTrust Password Safe with an nShield Hardware Security Module (HSM).

Password Safe communicates with HSMs using a PKCS #11 API. nShield HSMs include a PKCS #11 driver with their client software installation. This allows applications to use the device without requiring specific knowledge of the make, model, or configuration of the HSM.

The Password Safe integration HSM treats the HSM as an external API that only requires credentials. Advanced configurations and features, such as high-availability implementations, are typically transparent in Password Safe. For example, the client software may allow a group of multiple HSMs to be presented as a single token in a single slot. In this case, Password Safe would access the group the same way it would access a single HSM. Configuring the group and synchronizing key data is outside the scope of the Password Safe software and must be performed according to the guidelines for the specific hardware.

Password Safe use of HSM credentials

  • Password Safe only uses one set of HSM credentials to encrypt any stored credential at a given time.

  • Password Safe always encrypts new or edited credentials using the latest stored set of HSM credentials.

  • Password Safe supports legacy HSM credentials. Credentials that were encrypted using an older set of HSM credentials are still accessible if the HSM credential used to encrypt it has not been deleted manually.

  • Archived HSM credentials remain in the Password Safe database until they are manually deleted.

Prerequisites

  • The Password Safe server: A Windows Server that has Password Safe installed and the Password Safe database configured.

  • A supported HSM: Configured and accessible to the Password Safe application server.

    Before configuring the nShield HSM with Password Safe, the HSM client software must be installed and configured. Follow the Installation Guide and User Guide for the HSM and use the tools in the HSM client software suite.

  • The path to both the 32-bit and 64-bit PKCS #11 drivers.

    These are included in the client software and are listed in Installation Guide for your HSM. Both driver locations are required during HSM configuration.

  • The name of the token to which Password Safe should connect.

    This is specified as part of the HSM configuration process.

  • The PIN or password for an HSM user who can create and use keys.

    This is specified as part of the HSM configuration process.

  • There must be no other credentials configured in the database when the HSM configuration procedure is executed.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.

Product configurations

Entrust has successfully tested nShield HSM integration with Password Safe in the following configurations:

Product Version

Operating System

Windows Server 2022 Standard Desktop Version

Password Safe

Password Safe 23.1

SQL Server

Microsoft SQL Server 2019

Supported nShield hardware and software versions

Entrust successfully tested with the following nShield hardware and software versions:

nShield

Product Security World Software Firmware Netimage OCS Softcard Module

nSaaS

13.3.2

12.72.1 (FIPS 140-2 certified)

12.80.5

Connect XC

13.3.2

12.50.11 (FIPS 140-2 certified) & 12.72.1 (FIPS 140-2 certified)

12.80.4 & 12.80.5

nShield 5c

13.3.2

13.2.2

13.3.2

More information

For more information, see the User Guide and Installation Guide for your HSM or contact Entrust nShield Support, https://nshieldsupport.entrust.com.

Access to the Entrust nShield Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com.