Introduction

HashiCorp Vault Enterprise (referred to as Vault in this guide) supports the creation/storage of keys within Hardware Security Modules (HSMs). Entrust nShield HSMs (referred to as HSM in this guide) provide FIPS or Common Criteria certified solutions to securely generate, encrypt, and decrypt the keys which provide the root of trust for the Vault protection mechanism.

This guide describes how to integrate Vault with an HSM to:

Offload select PKI operations to the HSM.
Generate new PKI key pairs and certificates.
Verify and sign certificate workflows.

Product configurations

Entrust has successfully tested nShield HSM integration with Vault in the following configurations:

Product	Version
HashiCorp Vault Enterprise	v1.19.0 Enterprise HSM
Base OS	Red Hat Enterprise 9.5

Product

Version

HashiCorp Vault Enterprise

v1.19.0 Enterprise HSM

Base OS

Red Hat Enterprise 9.5

Supported nShield features

Entrust has successfully tested nShield HSM integration with the following features:

Feature	Support
Softcards	Yes
Module Only Key	Yes
OCS cards	Yes
nSaaS	Supported but not tested

Feature

Support

Softcards

Yes

Module Only Key

Yes

OCS cards

Yes

nSaaS

Supported but not tested

Supported nShield hardware and software versions

Entrust has successfully tested with the following nShield HSM hardware and software versions:

nShield 5c

Security World Software	Firmware	Netimage	OCS	Softcard	Module
13.6.8	13.4.5 (FIPS 140-3 certified)	13.6.7	✓	✓	✓

Security World Software

Firmware

Netimage

OCS

Softcard

Module

13.6.8

13.4.5 (FIPS 140-3 certified)

13.6.7

✓

Connect XC

Security World Software	Firmware	Netimage	OCS	Softcard	Module
13.6.8	12.72.3 (FIPS 140-2 certified)	13.6.7	✓	✓	✓
13.4.8	12.60.15 (CC certified)	13.3.2	✓	✓	✓

Security World Software

Firmware

Netimage

OCS

Softcard

Module

13.6.8

12.72.3 (FIPS 140-2 certified)

13.6.7

✓

13.4.8

12.60.15 (CC certified)

13.3.2

✓

Supported nShield key types

Entrust has successfully tested with the following Vault managed keys:

RSA
ECDSA

Requirements

Access to the Entrust TrustedCare Portal.
Access to HashiCorp Vault Enterprise Module license from your HashiCorp sales representative.
A dedicated Linux server.
Network environment with usable port 9004 for the HSM and 8200 for Vault.

Familiarize yourself with the nShield Documentation.

The importance of a correct quorum for the Administrator Card Set (ACS).
Whether Operator Card Set (OCS) protection or Softcard protection is required.
If OCS protection is to be used, a 1-of-N quorum must be used.
Whether your Security World must comply with FIPS 140 Level 3 or Common Criteria standards. If using FIPS 140 Level 3, it is advisable to create an OCS for FIPS authorization. The OCS can also provide key protection for the Vault master key. For more information see FIPS 140 Level 3 compliance.
Whether to instantiate the Security World as recoverable or not.