Integrating HSM with IBM Security Guardium Key Lifecycle Manager

You can use Hardware Security Module (HSM) for storing the master key to protect all the data that is stored in the database.

IBM® Security Guardium® Key Lifecycle Manager uses the IBM PKCS11 Cryptographic Provider, and supports the cryptographic cards that the provider supports.

For a complete list of supported cryptographic cards, see IBM Security Key Lifecycle Manager Support Matrix.
Note:
  • You can configure HSM on a newly installed IBM Security Guardium Key Lifecycle Manager server with no data, or on an existing installation with data. If you are configuring HSM on an existing installation with data, you must run Master Key REST Service to move the master key from the Java keystore to HSM. HSM does not allow import of the keys from outside.
  • IBM 4765 PCIe Cryptographic Coprocessor is supported only for the following PKCS#11 crypto operations:
    • Converting an AES 256-bit software key to an AES hardware (PKCS#11) key.
    • Generating an AES 256-bit key.
    • Encrypting and decrypting data by using an AES key and AES/ECB/NoPadding cipher.
    • Storing and retrieving an AES key to and from a PKCS11IMPLKS (PKCS#11) keystore.

Considerations and restrictions

  • IBM Security Guardium Key Lifecycle Manager backup or replication does not back up the master key when it is placed in the HSM. To back up the HSM, follow the instructions in the HSM manufacturers documentation. Back up the HSM because any master key loss might result in loss of all the keys in IBM Security Guardium Key Lifecycle Manager.
  • When IBM Security Guardium Key Lifecycle Manager is deployed in a replication setup, the master and the clone servers must point to the same HSM. If you are using a network attached HSM, make sure that all your clients for HSM are pointing to the same area on the HSM network.