HSM Support and Requirements

Management keys are SSH keys used by Key Manager to access agentless hosts. Key Manager can be configured to use management keys stored in an external Hardware Security Module (HSM), instead of storing the management keys in the Key Manager Database.

The following HSM solutions are currently supported by Key Manager:

• SafeNet Network HSM 6.2, 7.4.0
• nCipher Security nShield Connect series:
  • nShield Connect 500
  • nShield Connect 500+
  • nShield Connect 1500
  • nShield Connect 1500+
  • nShield Connect 6000
  • nShield Connect 6000+
  • nShield Connect XC Base
  • nShield Connect XC Medium
  • nShield Connect XC High
  • nShield Connect XC SCAP

Key Manager interfaces with HSM partitions using PKCS #11. The libraries required for PKCS #11 authentication and access are expected to be provided by the HSM service vendor.

Key Manager only reads management keys from its designated HSM partition. When Key Manager is configured to use management keys from HSM, the user is responsible for generating the required keys on the designated HSM partition. The user is also required to select the key that shall be authorized to the agentless hosts.

Management keys stored in the HSM should have the attribute sign=true. Any management-key pairs stored in the HSM should also have unique id and label values. With Safenet HSM key attributes can be checked with the command cmu getattribute.

Note that HSM behavior only applies to management keys, which are used for authorizing Key Manager to the agentless hosts. SSH keys for account-to-account authorizations are still stored on the hosts themselves, and the authorized keys from account-to-account authorizations are replicated into the Key Manager Database as per normal Key Manager behavior.

Keys stored on the HSM partition must be in RSA format.