HashiCorp Experimental - Create Vault encryption key using nShield ML-DSA
The Vault encryption key can be created with the ML-DSA post quantum algorithm. Entrust has successfully tested with the following nShield HSM hardware and software versions:
nShield 5c
| Security World Software | Firmware | Netimage | OCS | Softcard | Module |
|---|---|---|---|---|---|
13.9.3 (STS 4) |
13.8.4 |
13.9.3 |
✓ |
✓ |
✓ |
Connect XC
| Security World Software | Firmware | Netimage | OCS | Softcard | Module |
|---|---|---|---|---|---|
13.9.3 (STS 4) |
13.8.3 |
13.9.3 |
✓ |
✓ |
✓ |
Use the following commands to generate the vault encryption key in Create the Vault encryption and HMAC keys.
-
Create the Vault encryption key
vault_encript_key_pq_ocswith OCS protection.# generatekey --generate --batch -m 1 pkcs11 type=MLDSA scheme=MLDSA87 protect=token cardset=testOCS plainname=vault_encript_key_pq_ocs key generation parameters: operation Operation to perform generate application Application pkcs11 module Module to use 1 protect Protected by token slot Slot to read cards from 0 recovery Key recovery yes verify Verify security of key yes type Key type MLDSA scheme Parameter set MLDSA87 plainname Key name vault_encript_key_pq_ocs nvram Blob in NVRAM (needs ACS) no Loading `testOCS': Module 1: 0 cards of 1 read Module 1 slot 2: `testOCS' #4 Module 1 slot 0: empty Module 1 slot 3: empty Module 1 slot 4: empty Module 1 slot 5: empty Module 1 slot 2:- passphrase supplied - reading card Card reading complete. Key successfully generated. Path to key: /opt/nfast/kmdata/local/key_pkcs11_uc321b143185fc939504893270ed821ba4ed38319a-96d5a9ebbf542216a7d8bff65c17f44957fdf119 -
Create the Vault encryption key
vault_encript_key_pq_scwith softcard protection.# generatekey --generate --batch -m 1 pkcs11 type=MLDSA scheme=MLDSA87 protect=softcard cardset=testSC plainname=vault_encript_key_pq_sc key generation parameters: operation Operation to perform generate application Application pkcs11 module Module to use 1 protect Protected by softcard softcard Soft card to protect key testSC recovery Key recovery yes verify Verify security of key yes type Key type MLDSA scheme Parameter set MLDSA87 plainname Key name vault_encript_key_pq_sc nvram Blob in NVRAM (needs ACS) no Please enter the pass phrase for softcard `testSC': Please wait........ Key successfully generated. Path to key: /opt/nfast/kmdata/local/key_pkcs11_uc644529aad18eeed9de372779e829f48757e617cd-f814c86358b447af60a42df03b371cfbacfa5cd6 -
Create the Vault encryption key
vault_encript_key_pq_mwith module protection.# generatekey --generate --batch -m 1 pkcs11 type=MLDSA scheme=MLDSA87 protect=module plainname=vault_encript_key_pq_m key generation parameters: operation Operation to perform generate application Application pkcs11 module Module to use 1 protect Protected by module verify Verify security of key yes type Key type MLDSA scheme Parameter set MLDSA87 plainname Key name vault_encript_key_pq_m nvram Blob in NVRAM (needs ACS) no Key successfully generated. Path to key: /opt/nfast/kmdata/local/key_pkcs11_ua667c50e54831986514dea18f7c2b745b56ec001a -
Verify the keys created using the
rocsutility:# rocs `rocs' key recovery tool Useful commands: `help', `help intro', `quit'. rocs> list keys No. Name App Protected by 1 vault_encript_key_pq_ocs pkcs11 testOCS 2 vault_encript_key_pq_sc pkcs11 testSC (testSC) 3 vault_encript_key_pq_m pkcs11 module 4 vault_hmac_key_ocs pkcs11 testOCS 5 vault_hmac_key_sc pkcs11 testSC (testSC) 6 vault_hmac_key_m pkcs11 module rocs> quit