Introduction

The Entrust nShield HSMs secure keys that encrypt and sign the protected VMs. The keys are stored in an encrypted state on the Host Guardian Server (HGS).

The Guarded Host provides a trusted server and environment in which to create and run the Shielded VMs. The HGS attests the trustworthiness of a particular Guarded Host before releasing the relevant protection key used to unlock (decrypt), the virtual machine.

The HGS only releases the decryption key for the Shielded VM when it is satisfied that the condition of the VM matches a known clean state and that the VM has not been tampered with. This is achieved by providing evidence to attest to the VM’s integrity via a certificate that is also provided by the HGS.

Attestation process for running Shielded VMs on a Hyper-V Guarded Host:

  1. The Guarded Host requests a key to allow it to run the Shielded VM.

  2. The HGS receives the request but does not trust that the request comes from a legitimate host.

  3. The Guarded Host sends its declaration of health information, a known state conferred upon the host by the HGS in the initial set-up of the Hyper-V host.

  4. The HGS responds with a certificate of health to the host.

  5. The host makes another request, which includes the certificate to the HGS.

  6. The HGS returns the encrypted key to the virtualized security area of the Guarded Host, allowing the VM to run.

Product configurations

Entrust has successfully tested nShield HSM integration with Windows Hyper-V feature in the following configurations:

Product Version

Guardian Server Base OS

Windows Server 2019 Datacenter

Guarded Host Base OS

Windows Server 2019 Datacenter

Supported nShield features

Entrust has successfully tested nShield HSM integration with the following features:

Feature Support

Operator Card Set (OCS)

Yes

Softcard Protection

Yes

Module

Yes

Supported nShield hardware and software versions

Entrust has successfully tested with the following nShield hardware and software versions:

Product Security World Software Firmware Image OCS Softcard Module

Connect XC

12.80.4

12.50.11 (FIPS 140-2 certified)

12.80.4

Connect XC

12.80.4

12.72.1 (FIPS 140-2 certified)

12.80.5

nShield 5c

13.2.2

13.2.2

13.2.2

Requirements

Familiarize yourself with the Microsoft Hyper-V and Guarded Hosts documentation and set-up process.

Before installing these products, read the associated nShield HSM Installation Guide and User Guide.

This guide assumes familiarity with the following:

  • The importance of a correct quorum for the Administrator Card Set (ACS).

  • Whether Operator Card Set (OCS) protection or Softcard protection is required.

  • If OCS protection is to be used, a 1-of-N quorum must be used.

  • Whether your Security World must comply with FIPS 140 Level 3 or Common Criteria standards. If using FIPS 140 Level 3, it is advisable to create an OCS for FIPS authorization. The OCS can also provide key protection for the Vault master key. For information about limitations on FIPS authorization, see the Installation Guide of the nShield HSM.

    Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.
  • Whether to instantiate the Security World as recoverable or not.

  • Network environment set-up, via correct firewall configuration with usable ports: 9004 for the HSM and 9005 for remote administration.

More information

For more information contact your sales representative or Entrust nShield Support, https://nshieldsupport.entrust.com.

Access to the Entrust Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com.