Virtual HSM
Home
  • Virtual HSM
  • Documentation
    • What is Virtual HSM?
    • Use Case: Attested Secret Provisioning in the Cloud
    • Setup
      • Install
      • vHSM Server Configuration
        • Parameters
        • vHSM Telemetry Parameters
      • vHSM Agent
        • Agent Configuration
      • vHSM Proxy
        • Proxy Configuration
    • Get Started
      • Start the Vault server
      • MariaDB root admin password provisioning on Azure DCXas_v5 VM
    • Supported Cloud Configurations
  • Tutorials
    • Deploying the vhsm Container on an EC2 Instance
    • CLI quickstart
    • vHSM Agent quickstart
    • vHSM Proxy quickstart
    • Passing vHSM secrets using ConfigMaps
    • Provisioning MariaDB Password on Azure DCXas_v5 VM
    • Registering a buckypaper plugin
    • Monitoring vHSM with Grafana
  • Integration with Utimaco SecurityServer
    • Integrate enclaive vHSM with Utimaco HSM
  • API
    • Auth
    • Default
    • Secrets
    • System
    • Identity
    • Models
  • vHSM CLI
    • Server and Infrastructure Management
      • vhsm server
      • vhsm proxy
      • vhsm monitor
      • vhsm status
      • vhsm agent
    • Secret Management
      • vhsm read
      • vhsm write
      • vhsm delete
      • vhsm list
      • vhsm secrets
        • vhsm secrets enable
        • vhsm secrets disable
        • vhsm secrets list
        • vhsm secrets move
        • vhsm secrets tune
      • vhsm unwrap
    • Configuration and Management
      • vhsm plugin
        • vhsm plugin info
        • vhsm plugin deregister
        • vhsm plugin list
        • vhsm plugin register
        • vhsm plugin reload
        • vhsm plugin reload-status
      • vhsm namespace
      • vhsm operator
      • vhsm print
      • vhsm path-help
      • vhsm lease
    • Auditing and Debugging
      • vhsm audit
      • vhsm debug
    • Attestation
    • Security and Encryption
      • vhsm pki
        • vhsm pki health-check
        • vhsm pki issue
        • vhsm pki list-intermediates
        • vhsm pki reissue
        • vhsm pki verify-sign
      • vhsm transit
      • vhsm ssh
      • vhsm transform
    • Authentication and Authorization
      • vhsm login
      • vhsm auth
      • vhsm token
      • vhsm policy
    • Storage and Data Mangement
      • vhsm kv
      • vhsm patch
    • vhsm version
      • vhsm version-history
  • Troubleshooting
    • CA Validity Period
    • CRL Validity Period
    • Root Certificate Issued Non-CA Leaves
    • Role Allows Implicit Localhost Issuance
    • Role Allows Glob-Based Wildcard Issuance
    • Performance Impact
    • Accessibility of Audit Information
    • Allow If-Modified-Since Requests
    • Auto-Tidy Disabled
    • Tidy Hasn't Run
    • Too Many Certificates
    • Enable ACME Issuance
    • ACME Response Headers Configuration
  • Resources
    • Community
    • GitHub
    • Youtube
    • CCx101 wiki
Powered by GitBook
On this page
  • Introduction
  • enclaive vHSM
  • Features
  • Getting started
  • Learn more

Was this helpful?

Virtual HSM

Migrate your HSM to the cloud for enhanced scalability and flexibility. Securely bring your own keys while utilizing hardware-graded security to ensure their protection.

Last updated 7 months ago

Was this helpful?

This documentation is a work in progress and subject to updates and revisions. Keep an eye out for version changes and new additions to ensure you have the latest information.

Introduction

Hardware Security Modules (HSMs) have emerged as indispensable components in safeguarding sensitive data and cryptographic operations. These dedicated hardware devices provide a highly secure environment for generating, storing, and managing cryptographic keys. As the digital landscape becomes increasingly complex and vulnerable to cyber threats, the need for robust HSM solutions has grown exponentially.

While HSMs offer numerous advantages, including physical security, access controls, and performance enhancements, they also present unique challenges, particularly in the context of cloud computing. One of the primary limitations of HSMs is their reliance on physical hardware, which can make it difficult to migrate them to cloud environments.

Unlike software-based security solutions that can be easily moved to the cloud, HSMs require specialized hardware that is typically deployed on-premises. This makes it challenging to achieve the same level of flexibility, scalability, and cost-effectiveness that cloud-based solutions often offer.

Moreover, migrating HSMs to the cloud can involve significant technical and logistical challenges. Organizations may need to establish secure connections between their on-premises HSMs and cloud-based systems, ensuring that sensitive data is protected during transit. Additionally, there may be regulatory and compliance considerations to address, as well as potential security risks associated with cloud-based HSM deployments.

enclaive vHSM

A virtual HSM (vHSM) combines the robust security of hardware-based solutions with the flexibility of confidential virtualization. Virtualization enables seamless integration and migration within complex cloud environments, ensuring scalability, elasticity, high performance, and availability. At the same time, the vHSM employs advanced encryption mechanisms, including 3D encryption, to enhance security, ensuring that neither the cloud provider nor any unauthorized entity can access sensitive keys. Essentially, the security architecture of a vHSM mirrors that of a traditional HSM, with the key distinction being that physical hardware security is replaced by encryption and confidential virtualization technologies.

Technically, the vHSM runs enclaive and in Virtual Machines.

Features

Some of the key features include:

  • Comprehensive identity and access management

  • Multi-cloud compatibility

  • Cloud-native readiness, including secret provisioning of VMs and Kubernetes clusters

  • Support for confidential VMs on AWS, Azure, and GCP

  • Support for TEE-based and HSM-based root of trust

  • 3D security hardening: encryption of secrets during runtime, at rest, and in transit

  • High availability through RAFT storage clusters

  • Workload attestation management with support for AMD SEV, Intel SGX/TDX, and AMD CC technology

Getting started

Learn more

Documentation
Tutorials

Confidential Multi Cloud Platform

Hardware graded key, identity and workload management

Key, identity and access management

Workload identity and access management

Confidential Virtualization

Confidential Kubernetes

Virtual HSM
Buckypaper
Vault
Buckypaper
Vault
Nitride
Nitride
Enclaive Multi Cloud Platform
Dyneemes
Page cover image