Skip to content

Store Encryption Keys on Securosys HSM

You can configure an HSM device and store the Securden encryption key for additional security. HSM is an encrypted, security-hardened device used for storing, generating, and rotating encryption keys. You need to provide certain details of your HSM device and configure it before storing the Securden encryption key in your HSM device.

Prerequisite:

You need to take a backup of your entire database along with the encryption key before starting the HSM configuration process.

Step 1: Stopping the Securden PAM service on Primary and Secondary servers

  • Navigate to services.msc and Stop the Securden PAM service.
  • If you have configured secondary application servers in your organization, you need to stop the Securden PAM service on all the secondary servers.

Step 2: Configuring the HSM

Navigate to /bin and locate ConfigureHSM.exe. Open ConfigureHSM.exe and provide the following details:

  1. HSM Provider Name: The name of your HSM provider. You can select Securosys from the drop-down menu.
  2. DLL File Path: Securden integrates with your HSM provider through their primus.dll file. You need to specify the location of this file in this field.
  3. HSM Slot ID: The partition in which the Securden encryption key should be stored.
  4. HSM Slot Password: The credential required for accessing the HSM and storing the encryption key in the slot mentioned above.
  5. Encryption Key Label: The name with which the Securden encryption key should be stored in the HSM.

Once the required details are provided, click Configure.

Important

After configuring the HSM,

  1. The entire database will be decrypted using your current key and encrypted using a new key which is stored in your HSM.
  2. You need to take a fresh backup of your database since your previous backup copies cannot be restored, since the encryption key is different.
  3. If you had configured secondary servers of any type before configuring the HSM, they would not work as intended after the process is completed. This is because of the encryption key mismatch between the primary server and the secondary server. You need to re-configure all secondary servers (Remote distributors and high availability servers) and deploy the application server package once again.
  4. Securden primary and secondary servers share the same HSM keys. You need to ensure that HSM keys (hsm_1.key, hsm__2.key, and hsm_3.key) are located in the default (Securden\conf) folder.