Hardware Security Module usage in IBM Security Guardium Key Lifecycle Manager
You can use Hardware Security Module (HSM) for storing the master key to protect all passwords that are stored in the database.
IBM® Security Guardium® Key Lifecycle Manager uses the IBM PKCS11 Cryptographic Provider, and supports the cryptographic cards that the provider supports.
The commonly supported cryptographic cards are as follows:
Gemalto/SafeNet Luna SA
Entrust nShield Connect
IBM 4765 PCIe Cryptographic Coprocessor
Note:
- You can use
Gemalto/SafeNet Luna SA
andIBM 4765 PCIe Cryptographic Coprocessor
only when the keystore is not defined in IBM Security Guardium Key Lifecycle Manager. These cards do not allow import of keys from outside. Use the Master Key REST Service to import the master key from a Java keystore to these cards. IBM 4765 PCIe Cryptographic Coprocessor
is supported only for the followingPKCS#11
crypto operations:- Convert an AES 128-bit or 256-bit software key to an AES hardware (
PKCS#11
) key - Generate an AES 128-bit or 256-bit key
- Encrypt and decrypt data by using an AES key and an AES/ECB/NoPadding cipher
- Store and retrieve an AES key to and from a
PKCS11IMPLKS
(PKCS#11
) keystore
- Convert an AES 128-bit or 256-bit software key to an AES hardware (
Configuring HSM
You can configure HSM for the new and
existing installations of the product. To do so:
- On the IBM Security Guardium Key Lifecycle Manager server, create an HSM configuration file. You can use the sample HSM configuration file for reference.
- Define the following parameters in the configuration file: pkcs11.pin,
pkcs11.config, useMasterKeyInHSM.
For more information, see Configuring HSM parameters. For HSM configuration parameter details, see the topics in the Server configuration properties and database values section.
- If you are configuring HSM on an
existing installation, complete the following steps.
- Ensure that the useMasterKeyInHSM parameter in the HSM configuration file is not set to true.
- Run the Master Key REST Service to move the master key from the Java keystore to HSM
Date | Change description |
21 Sept 2021 | Added a note for using the Master Key REST Service to import the master key to the HSM. |
06 Aug 2021 | Added a step for HSM configuration on an existing installation. |
20 Jul 2021 | Updated cryptographic card name from Thales nShield Connect to
Entrust nShield Connect . Refreshed only the English language content. |
08 Dec 2020 | Initial version. |