Virtual HSM
Home
  • Virtual HSM
  • Documentation
    • What is Virtual HSM?
    • Use Case: Attested Secret Provisioning in the Cloud
    • Setup
      • Install
      • vHSM Server Configuration
        • Parameters
        • vHSM Telemetry Parameters
      • vHSM Agent
        • Agent Configuration
      • vHSM Proxy
        • Proxy Configuration
    • Get Started
      • Start the Vault server
      • MariaDB root admin password provisioning on Azure DCXas_v5 VM
    • Supported Cloud Configurations
  • Tutorials
    • Deploying the vhsm Container on an EC2 Instance
    • CLI quickstart
    • vHSM Agent quickstart
    • vHSM Proxy quickstart
    • Passing vHSM secrets using ConfigMaps
    • Provisioning MariaDB Password on Azure DCXas_v5 VM
    • Registering a buckypaper plugin
    • Monitoring vHSM with Grafana
  • Integration with Utimaco SecurityServer
    • Integrate enclaive vHSM with Utimaco HSM
  • API
    • Auth
    • Default
    • Secrets
    • System
    • Identity
    • Models
  • vHSM CLI
    • Server and Infrastructure Management
      • vhsm server
      • vhsm proxy
      • vhsm monitor
      • vhsm status
      • vhsm agent
    • Secret Management
      • vhsm read
      • vhsm write
      • vhsm delete
      • vhsm list
      • vhsm secrets
        • vhsm secrets enable
        • vhsm secrets disable
        • vhsm secrets list
        • vhsm secrets move
        • vhsm secrets tune
      • vhsm unwrap
    • Configuration and Management
      • vhsm plugin
        • vhsm plugin info
        • vhsm plugin deregister
        • vhsm plugin list
        • vhsm plugin register
        • vhsm plugin reload
        • vhsm plugin reload-status
      • vhsm namespace
      • vhsm operator
      • vhsm print
      • vhsm path-help
      • vhsm lease
    • Auditing and Debugging
      • vhsm audit
      • vhsm debug
    • Attestation
    • Security and Encryption
      • vhsm pki
        • vhsm pki health-check
        • vhsm pki issue
        • vhsm pki list-intermediates
        • vhsm pki reissue
        • vhsm pki verify-sign
      • vhsm transit
      • vhsm ssh
      • vhsm transform
    • Authentication and Authorization
      • vhsm login
      • vhsm auth
      • vhsm token
      • vhsm policy
    • Storage and Data Mangement
      • vhsm kv
      • vhsm patch
    • vhsm version
      • vhsm version-history
  • Troubleshooting
    • CA Validity Period
    • CRL Validity Period
    • Root Certificate Issued Non-CA Leaves
    • Role Allows Implicit Localhost Issuance
    • Role Allows Glob-Based Wildcard Issuance
    • Performance Impact
    • Accessibility of Audit Information
    • Allow If-Modified-Since Requests
    • Auto-Tidy Disabled
    • Tidy Hasn't Run
    • Too Many Certificates
    • Enable ACME Issuance
    • ACME Response Headers Configuration
  • Resources
    • Community
    • GitHub
    • Youtube
    • CCx101 wiki
Powered by GitBook
On this page

Was this helpful?

  1. Tutorials

Deploying the vhsm Container on an EC2 Instance

Learn to deploy the vhsm container on an EC2 instance by pulling a docker image from ECR.

PreviousTutorialsNextCLI quickstart

Last updated 28 days ago

Was this helpful?

Prerequisites

  • and ensure that the Instance type is one of these .

  • Ensure your EC2 instance has proper to pull images from ECR.

  • Make sure your EC2 instance's security group allows communication on the required ports.

  • Depending on your setup, you may need to expose specific ports for accessing services within the container.

To install and run the vhsm-aws container from Amazon ECR on your EC2 instance, follow these steps:

1. Connect to your EC2 instance.

  1. Install and configure Docker on your EC2 instance.

sudo apt update
sudo apt install docker.io

3. Install AWS CLI on your EC2 instance.

curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install

4. Configure AWS credentials.

aws configure

where

  • AWS Access Key ID: (Get from your AWS IAM)

  • AWS Secret Access Key: (Get from your AWS IAM)

  • Default region name: us-east-1 (or the region you are using)

  • Default output format: Leave it as None

5. Authenticate Docker to Amazon ECR registry where the vhsm container image is stored.

aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 709825985650.dkr.ecr.us-east-1.amazonaws.com

6. Pull the vhsm-aws image from ECR.

For example, to pull the image tagged as 1.4.1-0:

docker pull 709825985650.dkr.ecr.us-east-1.amazonaws.com/enclaive/vhsm:1.4.1-0

7. Run a container named vhsm-aws-container using Docker.

docker run --cap-add IPC_LOCK -p8200:8200 --name vhsm-aws-container 709825985650.dkr.ecr.us-east-1.amazonaws.com/enclaive/vhsm:1.4.1-0

Remarks:

  • -p8200:8200: vhsm runs on port 8200. Map the the port to the outbound port of choice (e.g. 8200).

  • --cap-add IPC_LOCK : The IPC_LOCK capability allows a process to lock memory using mlock(2) and related system calls. This means the process can prevent some or all of its memory from being swapped out to disk. It's essential for applications that handle sensitive data, such as cryptographic keys or credentials, and want to avoid them being written to swap space.

8. Verify the container is running.

docker ps

9. To check the logs from the container to ensure it's working properly, you can use:

docker logs vhsm-aws-container

Troubleshooting:

  • If you run into issues with Docker permissions, make sure your user has permission to access Docker. You may need to run Docker commands with sudo or add your user to the Docker group.

  • If authentication fails when running docker login, ensure that your AWS credentials are configured correctly.

Create a EC2 instance
supported configurations
IAM permissions