Hardware Security Module usage in IBM Security Guardium Key Lifecycle Manager

You can use Hardware Security Module (HSM) for storing the master key to protect all passwords that are stored in the database.

IBM® Security Guardium® Key Lifecycle Manager uses the IBM PKCS11 Cryptographic Provider, and supports the cryptographic cards that the provider supports.

The commonly supported cryptographic cards are as follows:
  • Gemalto/SafeNet Luna SA
  • Entrust nShield Connect
  • IBM 4765 PCIe Cryptographic Coprocessor
For a complete list of supported cryptographic cards, see IBM Security Key Lifecycle Manager Support Matrix.
Note:
  • You can use Gemalto/SafeNet Luna SA and IBM 4765 PCIe Cryptographic Coprocessor only when the keystore is not defined in IBM Security Guardium Key Lifecycle Manager. These cards do not allow import of keys from outside. Use the Master Key REST Service to import the master key from a Java keystore to these cards.
  • IBM 4765 PCIe Cryptographic Coprocessor is supported only for the following PKCS#11 crypto operations:
    • Convert an AES 128-bit or 256-bit software key to an AES hardware (PKCS#11) key
    • Generate an AES 128-bit or 256-bit key
    • Encrypt and decrypt data by using an AES key and an AES/ECB/NoPadding cipher
    • Store and retrieve an AES key to and from a PKCS11IMPLKS (PKCS#11) keystore

Configuring HSM

You can configure HSM for the new and existing installations of the product. To do so:
  1. On the IBM Security Guardium Key Lifecycle Manager server, create an HSM configuration file. You can use the sample HSM configuration file for reference.
  2. Define the following parameters in the configuration file: pkcs11.pin, pkcs11.config, useMasterKeyInHSM.

    For more information, see Configuring HSM parameters. For HSM configuration parameter details, see the topics in the Server configuration properties and database values section.

  3. If you are configuring HSM on an existing installation, complete the following steps.
    1. Ensure that the useMasterKeyInHSM parameter in the HSM configuration file is not set to true.
    2. Run the Master Key REST Service to move the master key from the Java keystore to HSM

Table 1. Topic change log
Date Change description
21 Sept 2021 Added a note for using the Master Key REST Service to import the master key to the HSM.
06 Aug 2021 Added a step for HSM configuration on an existing installation.
20 Jul 2021 Updated cryptographic card name from Thales nShield Connect to Entrust nShield Connect. Refreshed only the English language content.
08 Dec 2020 Initial version.