Introduction

HashiCorp Vault (referred to as Vault in this guide) protects your organization’s credentials and confidential assets and provides secure access control to them through a process of secret leasing, renewal, and revocation. Entrust nShield Hardware Security Modules (HSMs) provide FIPS or Common Criteria certified solutions to securely generate, encrypt, and decrypt the keys which form the foundation of the HashiCorp Vault protection mechanism. The nShield HSM secures the key used to seal or unseal a Vault instance.

This guide describes how to integrate the HashiCorp Vault Enterprise with an nShield HSM on a server, or on a Kubernetes environment.

Product configurations

Entrust has successfully tested nShield HSM integration with HashiCorp Vault in the following configurations:

Product	Version
HashiCorp Vault	1.9.2 Enterprise HSM
Docker	20.10.3
Red Hat OpenShift	Client: 4.9.5, Server: 4.9.5, Kubernetes: v1.22.0-rc.0+a44d0f0
Base OS	Red Hat Enterprise 8.3

Product

Version

HashiCorp Vault

1.9.2 Enterprise HSM

Docker

20.10.3

Red Hat OpenShift

Client: 4.9.5, Server: 4.9.5, Kubernetes: v1.22.0-rc.0+a44d0f0

Base OS

Red Hat Enterprise 8.3

Supported nShield features

Entrust has successfully tested nShield HSM integration with the following features:

Feature	Support
Softcards	Yes
Module Only Key	Yes
OCS cards	Yes
nSaaS	Supported but not tested

Feature

Support

Softcards

Yes

Module Only Key

Yes

OCS cards

Yes

nSaaS

Supported but not tested

Supported nShield hardware and software versions

Entrust has successfully tested with the following nShield hardware and software versions:

Connect XC

Security World Software	Firmware	Netimage	OCS	Softcard	Module
12.80.4	12.50.11 (FIPS 140-2 certified)	12.80.4	✓	✓	✓
12.80.4	CC 12.60.15	12.80.4	✓	✓	✓

Security World Software

Firmware

Netimage

OCS

Softcard

Module

12.80.4

12.50.11 (FIPS 140-2 certified)

12.80.4

✓

12.80.4

CC 12.60.15

12.80.4

✓

Supported nShield Container Option Pack:

Product	Version
nCOP	1.1.1

Product

Version

nCOP

1.1.1

Requirements

Before installing these products, read the associated nShield HSM Installation Guide, User Guide, and the HashiCorp Vault documentation. This guide assumes familiarity with the following:

The importance of a correct quorum for the Administrator Card Set (ACS).
Whether Operator Card Set (OCS) protection or Softcard protection is required.
If OCS protection is to be used, a 1-of-N quorum must be used.
Whether your Security World must comply with FIPS 140 Level 3 or Common Criteria standards. If using FIPS 140 Level 3, it is advisable to create an OCS for FIPS authorization. The OCS can also provide key protection for the Vault master key. For information about limitations on FIPS authorization, see the Installation Guide of the nShield HSM.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.
Whether to instantiate the Security World as recoverable or not.
Network environment setup, via correct firewall configuration with usable ports: 9004 for the HSM and 8200 for Vault.
HashiCorp Enterprise Modules license, which is required for using Vault with Hardware Security Modules.

More information

For more information about OS support, contact your HashiCorp Vault sales representative or Entrust nShield Support, https://nshieldsupport.entrust.com.