Introduction

HashiCorp Vault Enterprise (referred to as Vault in this guide) supports the creation/storage of keys within Hardware Security Modules (HSMs). Entrust nShield HSMs provide FIPS or Common Criteria certified solutions to securely generate, encrypt, and decrypt the keys which provide the root of trust for the Vault protection mechanism.

This guide describes how to integrate Vault with an nShield HSM to:

Offload select PKI operations to the HSMs.
Generate new PKI key pairs and certificates.
Verify and sign certificate workflows.

Product configurations

Entrust has successfully tested nShield HSM integration with Vault in the following configurations:

Product	Version
HashiCorp Vault Enterprise	v1.18.0 Enterprise HSM
Base OS	Red Hat Enterprise 9.5

Product

Version

HashiCorp Vault Enterprise

v1.18.0 Enterprise HSM

Base OS

Red Hat Enterprise 9.5

Supported nShield features

Entrust has successfully tested nShield HSM integration with the following features:

Feature	Support
Softcards	Yes
Module Only Key	Yes
OCS cards	Yes
nSaaS	Supported but not tested

Feature

Support

Softcards

Yes

Module Only Key

Yes

OCS cards

Yes

nSaaS

Supported but not tested

Supported nShield hardware and software versions

Entrust has successfully tested with the following nShield hardware and software versions:

nShield 5c

Security World Software	Firmware	Netimage	OCS	Softcard	Module
13.6.3	13.4.5 (FIPS 140-3 certified)	13.6.5	✓	✓	✓

Security World Software

Firmware

Netimage

OCS

Softcard

Module

13.6.3

13.4.5 (FIPS 140-3 certified)

13.6.5

✓

Connect XC

Security World Software	Firmware	Netimage	OCS	Softcard	Module
13.6.3	12.72.3 (FIPS 140-2 certified)	13.6.5	✓	✓	✓
13.4.4	12.60.15 (CC certified)	13.3.2	✓	✓	✓

Security World Software

Firmware

Netimage

OCS

Softcard

Module

13.6.3

12.72.3 (FIPS 140-2 certified)

13.6.5

✓

13.4.4

12.60.15 (CC certified)

13.3.2

✓

Supported nShield key types

Entrust has successfully tested with the following Vault managed keys:

RSA
ECDSA

Requirements

A dedicated Linux server is needed for the installation of Vault.
Network environment setup, via correct firewall configuration with usable ports: 9004 for the HSM and 8200 for Vault.
HashiCorp Vault Enterprise Modules license, which is required for using Vault with Hardware Security Modules.

Before installing these products, read the associated nShield HSM Installation Guide, User Guide, and the Vault documentation. This guide assumes familiarity with the following:

The importance of a correct quorum for the Administrator Card Set (ACS).
Whether Operator Card Set (OCS) protection or Softcard protection is required.
If OCS protection is to be used, a 1-of-N quorum must be used.
Whether your Security World must comply with FIPS 140 Level 3 or Common Criteria standards. If using FIPS 140 Level 3, it is advisable to create an OCS for FIPS authorization. The OCS can also provide key protection for the Vault master key. For information about limitations on FIPS authorization, see the Installation Guide of the nShield HSM.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.
Whether to instantiate the Security World as recoverable or not.

More information

For more information about OS support, contact your HashiCorp Vault Enterprise sales representative or Entrust nShield Support, https://nshieldsupport.entrust.com.