Deployment Architecture
The nshield-hwsp
container runs the hardserver.
It is supplied with configuration to connect to one or more network HSMs (nShield Connects).
It exposes the hardserver via an AF_UNIX
socket.
Access to the hardserver socket must be restricted to trusted users.
Application instances are any containers that include applications that use the nShield software stack. The applications are supplied with the socket used to connect to the hardserver and access to the security World key management data files and associated cryptographic keys.
The key management data files, including encrypted copies of keys, are located in kmdata
. A container mounting kmdata
as a volume will be able to spoof the nShield Connect client. Therefore, access to files in kmdata
must be controlled and restricted to trusted users.