Introduction
HashiCorp Vault Enterprise (referred to as Vault in this guide) supports the creation/storage of keys within Hardware Security Modules (HSMs). Entrust nShield HSMs provide FIPS or Common Criteria certified solutions to securely generate, encrypt, and decrypt the keys which provide the root of trust for the Vault protection mechanism.
This guide describes how to integrate Vault with an nShield HSM to:
-
Offload select PKI operations to the HSMs.
-
Generate new PKI key pairs and certificates.
-
Verify and sign certificate workflows.
Product configurations
Entrust has successfully tested nShield HSM integration with Vault in the following configurations:
Product | Version |
---|---|
HashiCorp Vault Enterprise |
v1.18.0 Enterprise HSM |
Base OS |
Red Hat Enterprise 9.5 |
Supported nShield features
Entrust has successfully tested nShield HSM integration with the following features:
Feature | Support |
---|---|
Softcards |
Yes |
Module Only Key |
Yes |
OCS cards |
Yes |
nSaaS |
Supported but not tested |
Supported nShield hardware and software versions
Entrust has successfully tested with the following nShield hardware and software versions:
Requirements
-
A dedicated Linux server is needed for the installation of Vault.
-
Network environment setup, via correct firewall configuration with usable ports: 9004 for the HSM and 8200 for Vault.
-
HashiCorp Vault Enterprise Modules license, which is required for using Vault with Hardware Security Modules.
Before installing these products, read the associated nShield HSM Installation Guide, User Guide, and the Vault documentation. This guide assumes familiarity with the following:
-
The importance of a correct quorum for the Administrator Card Set (ACS).
-
Whether Operator Card Set (OCS) protection or Softcard protection is required.
-
If OCS protection is to be used, a 1-of-N quorum must be used.
-
Whether your Security World must comply with FIPS 140 Level 3 or Common Criteria standards. If using FIPS 140 Level 3, it is advisable to create an OCS for FIPS authorization. The OCS can also provide key protection for the Vault master key. For information about limitations on FIPS authorization, see the Installation Guide of the nShield HSM.
Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks. -
Whether to instantiate the Security World as recoverable or not.
More information
For more information about OS support, contact your HashiCorp Vault Enterprise sales representative or Entrust nShield Support, https://nshieldsupport.entrust.com.