This guide provides instructions to create new AWS CloudHSM Classic devices and configure them to work with CredHub. If you choose to use a Luna SafeNet HSM that is not provided by AWS, you may skip over the device allocation portion to initialize and configured your HSMs.
It is recommended that you configure at least two HSMs if the data stored in CredHub is critical. Appropriately configured HSMs allow key replication which provides redundancy of the key material in the event of an HSM device failure. If you choose to run a single HSM, your CredHub data will not be accessible in the event of a device failure.
- VPC
- There should be one private subnet for each planned HSM instance, and each subnet should be in its own Availability Zone. There need to be at least two HSMs for HA. The AWS documentation says that there should also be a subnet for a publicly available Control Instance, but that is not necessary in this case because CredHub plays the role of Control Instance
- IAM Role for the HSM with a policy equivalent to
AWSCloudHSMRolepolicy - The Security Group must allow traffic from the CredHub security group on ports 22 (SSH) and 1792 (HSM)
-
Create SSH keypairs for all planned HSMs
ssh-keygen -b 4096 -t rsa -N <password> -f path/to/ssh-key.pem
-
Create
cloudhsm.conffile[cloudhsmcli] aws_access_key_id=<value> aws_secret_access_key=<value> aws_region=<value>More about the configuration file for
cloudhsmCLI can be found here. -
Run the following command to create each HSM and place it in the appropriate subnet
cloudhsm create-hsm \ --conf_file path/to/cloudhsm.conf \ --subnet-id <subnet-id> \ --ssh-public-key-file path/to/ssh-key.pem.pub \ --iam-role-arn <iam_hsm_role_arn>
-
Assign the security group to each HSM. First, get the Elastic Network Interface ID
EniIDof the HSMcloudhsm describe-hsm -H <hsm_arn> -r <aws_region>
Then modify the network interface to assign the security group:
aws ec2 modify-network-interface-attribute \ --network-interface-id <eni_id> \ --groups <security_group_id>
Complete the following steps for each HSM.
-
Get the HSM IP
cloudhsm describe-hsm -H <hsm_arn> -r <aws_region>
-
SSH onto the HSM
ssh -i path/to/ssh-key.pem manager@<hsm_ip>
-
Initialize the HSM and create an Administrator password. All HSMs must be initialized into the same cloning domain in order to be configured for HA
lunash:> hsm init -label <label>
-
Log into the HSM by using the password from the previous step
lunash:> hsm login -
Ensure that only FIPS algorithms are enabled
lunash:> hsm changePolicy -policy 12 -value 0 -
Ensure that
Allow cloningandAllow network replicationpolicy values are set to On on the HSM by runninghsm showPolicies. If not, change them by running the following command:lunash:> hsm changePolicy -policy <policy_code> -value 1
-
Validate that the
SO can reset partition PINis set appropriately for your organization. If this is set to Off, consecutive deployments that use an invalid partition password will permanently erase the partition once the failure count hit the configured threshold. If this is set to On, the partition will be locked once the threshold is hit. An HSM Admin is required to unlock the partition, but no data will be lost. The following command demonstrates turning this policy on:lunash:> hsm changePolicy -policy 15 -value 1
-
Fetch the certificate from the HSM. This is used to validate the identity of the HSM when connecting to it.
scp -i path/to/ssh-key.pem \ manager@<hsm_ip>:server.pem \ <hsm_ip>.pem
-
Create a partition to hold the encryption keys. The partition password must be the same for all partitions in the HA partition group. The cloning domain must be the same as in step 1
lunash:> partition create -partition <partition_name> -domain <cloning_domain>
-
Record the partition serial number (labeled
Partition SN)lunash:> partition show -partition <partition_name>
Clients that communicate with the HSM must provide a client certificate to establish a client-authenticated session. You must setup each client's certificate on the HSM and assign access rights for each partition they access.
-
Create a certificate for the client
openssl req \ -x509 \ -newkey rsa:4096 \ -days <num_of_days> \ -sha256 \ -nodes \ -subj "/CN=<client_hostname_or_ip>" \ -keyout <client_hostname_or_ip>Key.pem \ -out <client_hostname_or_ip>.pem
-
Copy the client certificate to each HSM
scp -i path/to/ssh-key.pem \ <client_hostname_or_ip>.pem \ manager@<hsm_ip>:<client_hostname_or_ip>.pem
-
Create a client. The client hostname is the hostname of the planned CredHub instance(s)
lunash:> client register -client <client_name> -hostname <client_hostname>
If only one CredHub instance is planned, it's possible to register a client with the planned CredHub IP
lunash:> client register -client <client_name> -ip <client_ip>
-
Assign the partition created in the previous section to the client
lunash:> client assignPartition -client <client_name> -partition <partition_name>
You must define the encryption key name in the deploy manifest to set which key will be used for encryption operations. If this key exists on the HSM, it will be used. If it does not exist, it will be automatically created by CredHub in the referenced partition.
When generating a new key, it is recommended that you review the list of keys on each HSM to validate that key replication is functioning appropriately.
-
To review stored keys on a partition
lunash:> partition showContents -partition <partition_name>
After completing the above steps, you should have the following information for the CredHub deployment manifest:
- Encryption Key Name
- HSM Certificate
- Partition name and password
- Client certificate and private key
- Partition serial numbers
These should be entered in the manifest as shown below -
credhub:
properties:
encryption:
keys:
- provider_name: primary
encryption_key_name: [encryption-key-name]
active: true
providers:
- name: primary
type: hsm
partition: [partition-name]
partition_password: [partition-password]
client_certificate: [client-certificate]
client_key: [client-private-key]
servers:
- host: 10.0.0.1
port: 1792
certificate: [hsm-certificate]
partition_serial_number: [partition-serial-number]
- host: 10.0.0.10
port: 1792
certificate: [hsm-certificate]
partition_serial_number: [partition-serial-number]The generated client certificate has a fixed expiration date after which it will no longer be accepted by the HSM. You may rotate or renew this certificate at any time by following the steps detailed below.
-
Generate a new certificate for the client
openssl req \ -x509 \ -newkey rsa:4096 \ -days <num_of_days> \ -sha256 \ -nodes \ -subj "/CN=<client_hostname_or_ip>" \ -keyout <client_hostname_or_ip>Key.pem \ -out <client_hostname_or_ip>.pem
-
Copy the client certificate to each HSM
scp -i path/to/ssh-key.pem \ <client_hostname_or_ip>.pem \ manager@<hsm_ip>:<client_hostname_or_ip>.pem
-
(Optional) Review the client's partition assignments
lunash:> client show -client <client_name>
-
Remove the existing client. Note: All partition assignments will be deleted
lunash:> client delete -client <client_name>
-
Re-register the client
lunash:> client register -client <client_name> -ip <client_ip>
-
Re-assign partition assignments
lunash:> client assignPartition -client <client_name> -partition <partition_name>
-
(Optional) Validate new certificate fingerprint
lunash:> client fingerprint -client <client_name>
This fingerprint may be compared to your locally stored certificate with the command openssl x509 -in clientcert.pem -outform DER | md5sum.