2

I am building a solution to store keys and encrypt\decrypt data using an HSM. I am using a network HSM manufactured by Thales. The thing I have noticed is that a key generated in client machine 1 is inaccessible in client machine 2. The key can only be used to encrypt\decrypt data in client machine 1. Is there any thing that needs to be changed in my implementation or is there something to be changed in net-HSM configuration to enable this. I am using PKCS11Iterop library for all the key management operations.

I am using token based OCS protection.

Aashish Upadhyay
  • 840
  • 1
  • 7
  • 22

1 Answers1

4

I suppose your client machine 1 has a new file in kmdata/local directory associated to the new key generated. But your client machine 2 has not this file in his kmdata/local directory.

You have to find a way to share the kmdata/local directory, for instance, using NFS.

Egl
  • 774
  • 7
  • 20
  • Isn't that suppose to happen automatically, otherwise what's the point of using a network HSM. My understanding was that the keys will be shared across all clients as they have a common RFS. – Aashish Upadhyay Aug 01 '17 at 05:03
  • I suppose the point of a network HSM is that it can be accessible by all machines in this network. That is, all machines can have their own keys in the HSM. It doesn't mean they have to share the keys, since each machine has its own kmdata/local directory. But if you're using a remote file system and the two machines are sharing the same kmdata/local directory then, yes, the two machines should be able to access to the shared keys. – Egl Aug 01 '17 at 08:29
  • 1
    Yes if the clients have a common RFS then they can share the keys. I also found out that the keys do not get synced with the RFS server. There is a utility called rfs-sync.exe that is is used to synchronize the keys between RFS and Client machines. – Aashish Upadhyay Aug 01 '17 at 09:03