Overview
The Cloud HSM integration with Virtru Private Keystore (for Virtru Solutions) is designed to give the highest possible protection of encryption keys. This document will cover the steps required to connect a Virtru Private Keystore to the Cloud HSM, and will also detail the steps required to import existing Virtru Private Keystore keys into the HSM.
Jump to:
- Relevant Links
- Assumptions
- HSM Configuration
- Create an RSA key pair on the HSM
- Install Virtru Private Keystore
- Upgrade Procedure From Existing Virtru Private Keystore (Import Keys and Connect Virtru Private Keystore to HSM)
Relevant Links
-
Install and Configure the AWS CloudHSM Client (Linux) - AWS CloudHSM
-
Supported Linux operating systems for AWS CloudHSM
-
-
Virtru Private Keystore Prerequisites
-
Must run Virtru Private Keystore on a host that supports AWS CloudHSM
-
Important Note
Virtru Private Keystore runs on Linux hosts with Docker and Docker Compose installed, please confirm that your host is compatible with both AWS Cloud HSM and Virtru CKS. At the time of this writing, Cloud HSM does not support Ubuntu 20.04 LTS (per AWS Documentation)
Assumptions
-
HSM cluster has already been stood up
-
HSM has not been initialized
-
CU username is
cryptouser
- Key labels for CKS keys are
rsa001
HSM Configuration
Initialize the HSM cluster
-
Create an HSM in the cluster
Important Note
Ensure the HSM is located in the same Availability Zone as the host running the CKS service
Wait for HSM to be created
-
-
Download certificate signing request
-
Click the top button to download the CSR for your cluster
-
Name: cluster-<cluster-id>_ClusterCsr.csr
-
-
Copy downloaded CSR to your CKS Server
-
-
Sign the CSR
-
Signing your HSM CSR - AWS Documentation
-
Create a private key:
-
openssl genrsa -aes256 -out customerCA.key 2048
-
Include a passphrase
-
-
-
Use the private key to create a self-signed certificate:
-
openssl req -new -x509 -days 3652 -key customerCA.key -out customerCA.crt
-
Use passphrase above when generating the certificate
-
-
-
Sign the cluster CSR:
-
openssl x509 -req -days 3652 -in cluster-<cluster-id>_ClusterCsr.csr -CA customerCA.crt -CAkey customerCA.key -CAcreateserial -out cluster-<cluster-id>_CustomerHsmCertificate.crt
-
Use passphrase above and clusterID of cluster-<cluster-id>
-
-
-
-
You should now have cluster-<cluster-id>_CustomerHsmCertificate.crt created:
-
-
Download signed HSM certificate and self-signed cert created on the instance to upload to AWS console:
-
customerCA.crt
-
cluster-<cluster-id>_CustomerHsmCertificate.crt
-
-
Finish initializing the cluster by uploading HSM cert and self-signed cert to HSM cluster
-
Initialization now complete
-
-
Connect the HSM cluster to EC2 instance
-
Configure Security Groups - AWS Documentation
-
Then add security group from the HSM cluster to the CKS host:
-
Install the AWS cloudHSM client on EC2 instance:
-
Install and Configure the AWS CloudHSM Client (Linux) - AWS CloudHSM
-
Retrieve IP from HSM cluster in AWS web console
-
Activate the cluster
-
Activate HSM Cluster - AWS Documentation
-
/opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg
-
Enable e2e, log in as PRECO, then change password for CO
-
Login as CO and create cryptouser CU
-
loginHSM CO admin <password>
-
createUser CU cryptouser <password>
-
Set up HSM command line tools
-
There are 2 command line tools:
-
cloudhsm_mgmt_util (utilized in previous step to create CU user)
-
Used for managing HSM users
-
key_mgmt_util
-
Used for managing HSM keys
-
sudo service cloudhsm-client start
-
Starts the daemon
-
-
/opt/cloudhsm/bin/key_mgmt_util
-
Executable - prompt changes to Command when running
-
-
-
Create an RSA key pair on the HSM
If importing existing keys from an existing Virtru Private Keystore or external source, you may skip to Upgrade Procedure From Existing Virtru Private Keystore (Import Keys and Connect Virtru Private Keystore to HSM)
-
sudo service cloudhsm-client start
-
/opt/cloudhsm/bin/key_mgmt_util
-
Command: loginHSM -u CU -s cryptouser -p <password>
-
Command: genRSAKeyPair -m 2048 -e 65541 -l rsa001
Install Virtru Private Keystore
If upgrading an existing Virtru Private Keystore, see steps in next section
-
Install Virtru Private Keystore
-
After running the primary setup script to completion, within your cks-setup-scripts directory you will run the setup-cks-hsm-latest.sh script
-
Before running the HSM integration, SSH into the machine on a second connection.
-
-
Enter IP address retrieved when connecting host to HSM (Retrieve IP from HSM cluster in AWS web console)
-
Before hitting enter, on your second SSH session, copy
customerCA.crt
into the/hsm-config
directory in/var/virtru/cks
-
The connection to the HSM from the CKS requires the certificate to reside in the
/hsm-config
directory, which did not exist before selecting the HSM option for your key management
-
-
The slot label will be
hsm1
when prompted -
For the key pair label, enter
rsa001
-
Use your created CU user and password for the pin (example:
cryptouser:<password>
) -
Continue with remaining Virtru Private Keystore install setup
-
Upgrade Procedure From Existing Virtru Private Keystore (Import Keys and Connect Virtru Private Keystore to HSM)
Run Key Management Utility
-
sudo service cloudhsm-client start
-
/opt/cloudhsm/bin/key_mgmt_util
-
Login as the crypto user
-
loginHSM -u CU -s cryptouser -p <password>
-
-
Find all keys for the current user
-
findKey
-
-
If any keys need to be deleted as they will not be part of this integration, do so with the following command:
-
deleteKey -k <keyHandle>
-
-
Check if any keys remain on the HSM
-
findKey
-
-
Import key pair from file system on existing Virtru Private Keystore
-
If running the CloudHSM instance of CKS on a separate host, copy over rsa001.pem and rsa001.pub from your CKS host
-
There are 2 distinct commands here to import the public and then import the private key. We’ll do each step by step according to the linked AWS documentation
-
Import the public key
-
Private keys need to be
.key
, Virtru generated CKS private keys are.pem
-
mv rsa001.pem rsa001.key
-
-
Public keys need to be
.pem
, Virtru generated CKS public keys are.pub
-
mv rsa001.pub rsa001.pem
-
-
Start key_mgmt_util and log in as cryptouser:
-
/opt/cloudhsm/bin/key_mgmt_util
-
loginHSM -u CU -s cryptouser -p cryptouser123
-
-
importPubKey -l rsa001 -f rsa001.pem
-
Public Key Label: prodkey
-
Public Key Handle: <pubKeyHandle>
Important Note
All keys needing to be read by the CKS need to have the same label, you may opt to label keys something more generic
-
-
-
Create wrapping key required for importing private key
-
genSymKey -t 31 -s 32 -l aes256
Wrapping Key Handle: <wrappingKeyHandle>
-
Note this handle, as you will need to import all private keys with this wrapping key as part of the command.
-
-
Import the private key
-
importPrivateKey -f rsa001.key -l rsa001 -w <wrappingKeyHandle>
Private Key Handle: <privKeyHandle>
-
-
Verify imported keys are in HSM cluster
-
findKey
-
Repeat step 2 and 3 for any additional key pairs. As noted in step 2, ALL imported keys must have the same label to be read by the CKS, as opposed to importing key pairs as
rsa001, rsa002, etc.
Backup and Upgrade Virtru Private Keystore
-
Follow the procedure to back up and upgrade your Virtru Private Keystore: Virtru Private Keystore Upgrade
- After running the primary setup script to completion, within your cks-setup-scripts directory you will run the setup-cks-hsm-latest.sh script
-
-
-
-
Before running the HSM integration, SSH into the machine on a second connection.
-
-
Enter IP address retrieved when connecting host to HSM (Retrieve IP from HSM cluster in AWS web console)
-
Before hitting enter, on your second SSH session, copy
customerCA.crt
into the/hsm-config
directory in/var/virtru/cks
-
The connection to the HSM from the CKS requires the certificate to reside in the
/hsm-config
directory, which did not exist before selecting the HSM option for your key management
-
-
The slot label will be
hsm1
when prompted -
For the key pair label, enter
rsa001
-
Use your created CU user and password for the pin (example:
cryptouser:<password>
) -
Continue with remaining Virtru Private Keystore install setup
-
-