Phone Number +1-202-802-9399 (US)

Thycotic is now Delinea!

The Lockdown

Thycotic’s Cyber Security Blog

New HSM Integration: Secret Server and Thales e-Security

Written by Thycotic Team

March 17th, 2015

Secret Server 8.8 includes nCipher integration and support for their Hardware Security Module (HSM). The nCipher integration brings an additional layer of protection to Secret Server by controlling the Secret Server encryption key within the HSM.

What are HSMs? They are devices that manage and store the keys used to encrypt and decrypt data – these keys are secured by the device and cannot be extracted. When an encryption key is managed by software and the machine hosting the software is exploited, the key could be exposed, allowing the encrypted data to be stolen. When using an HSM, keys cannot be stolen via server exploits and used by an attacker to decrypt secured data. The HSM itself can still be stolen, though, and therefore needs to be kept in a secure location. Network HSMs are desirable for this purpose because they can be kept in a separate location from the server and can therefore be kept in locations that virtually no one has easy access to. Most HSMs are also tamper-proof, meaning that they cannot be opened or otherwise physically tampered with; for example, nCipher nShield Connect devices have a feature where removing the device’s lid activates a tamper event and any key data on the device is destroyed.

When HSM integration is turned on, Secret Server’s encryption key will be secured by the HSM, meaning the encryption key itself will be encrypted using the HSM. This gives all of the added security benefits described above, while being very simple to configure.

To configure the HSM, make sure it supports:

  1. RSA 2048-bit or 4096-bit keys (2048-bit keys will be supported in the release following 8.8.000005)
  2. RSA for encryption and decryption
  3. RSA for signing
  4. PKCS#1 v1.5 padding for RSA encryption

With those items verified, go to Secret Server > Admin > Configuration > HSM and the wizard will walk you through the configuration steps.

Important Note: Secret Server interacts with HSMs in “silent” mode. This means the HSM will be prevented from interacting with users in Secret Server. Because Secret Server is a web application and the server it is installed on rarely has users physically present, configurations such as nCipher’s Operator Card Set (OCS) setting will not work because it requires users to insert key cards periodically for authentication. Consult your HSM vendor before attempting integration with Secret Server to make sure it can operate in silent mode and is configured to do so.

Once the HSM is integrated with Secret Server, follow these steps for security:

  1. Decide who should have access to the “Administer HSM” role permission. This role dictates who can enable or disable the HSM integration.
  2. Set up event subscriptions to monitor:
    1. When this permission is assigned to someone new.
    2. When the HSM configuration is changed.
  3. Consider locking the HSM configuration within Secret Server to prevent changes by adding the application setting “LockHsmConfiguration” with a value of “True”. Changes to the HSM configuration will be prevented in the application until the application setting is removed.