Deployment Architecture
The nshield-hwsp
container runs the hardserver.
It is supplied with configuration to connect to one or more network HSMs (nShield Connects).
It exposes the hardserver via an AF_UNIX
socket.
Access to the hardserver socket must be restricted to trusted users.
Application instances are any containers that include applications that use the nShield software stack. They are supplied with the socket used to connect to the hardserver and access to the key management data files (to use the World and associated cryptographic keys).
The key management data files, including encrypted copies of keys, are located in kmdata. A container mounting kmdata as a volume will be able to spoof the nShield Connect client. Therefore, access to files in kmdata must be controlled and restricted to trusted users.