Key Store Management on

Support Matrix

Mon, 01 Jan 0001 00:00:00 +0000

Support Matrix for HSM

The following table for the support matrix describes the hardware requirements, software requirements, and the compatibility information of the Enterprise Security Administrator (ESA) and the Hardware Security Module (HSM).

System or Appliance	Supported Version
Enterprise System Administrator (ESA)	10.2.0 and later
Thales Luna Appliance	7.4.0
Firmware	7.3.3
Thales Luna Universal Client	10.3.0
Thales Data Protection on Demand (DPoD) Universal Client	10.7

Support Matrix for Cloud Platforms

The following table provides compatibility information of the cloud platforms, such as Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP) with the Protegrity ESA appliance.

Configuring the ESA with HSMs supporting PKCS#11 Interface

Mon, 01 Jan 0001 00:00:00 +0000

Verifying the Prerequisites

Ensure that the following prerequisites are met:

Ensure that you have downloaded HSM Client on your local machine.
Ensure that the HSM partition is initialized.
Ensure that you have downloaded the required libraries, configuration files, and certificates required for connecting to the HSM. The certificates can include the server certificate of the HSM, the client certificate for the ESA appliance, and the CA certificate.
For more information required about the files required for connecting to the HSM, refer the documentation for the corresponding HSM.

Configuring the ESA with the Thales Luna HSM

Mon, 01 Jan 0001 00:00:00 +0000

Verifying the Prerequisites

Ensure that the following prerequisites are met:

Ensure that the HSM partition is initialized.
Ensure that you have downloaded the required libraries, configuration files, and certificates required for connecting to the HSM. The certificates can include the server certificate of the Thales Luna HSM, the client certificate for the ESA appliance, and the CA certificate.
For more information required about the files required for connecting to the Thales Luna HSM, refer to the Thales Luna documentation.

Configuring the ESA with Thales Data Protection on Demand (DPoD) HSM

Mon, 01 Jan 0001 00:00:00 +0000

Verifying the Prerequisites

Ensure that the following prerequisites are met:

Ensure that the HSM partition is initialized.
Ensure that you have downloaded the required libraries, configuration files, and certificates required for connecting to the HSM. The certificates can include the server certificate of the Thales DPoD HSM, the client certificate for the ESA appliance, and the CA certificate.
For more information required about the files required for connecting to the Thales DPoD HSM, refer to the Thales DPoD documentation.

Configuring the ESA with AWS Key Management System (KMS)

Mon, 01 Jan 0001 00:00:00 +0000

Verifying the Prerequisites

Ensure that the following prerequisites are met before configuring the ESA with the AWS Key Store.

Authorization

The Amazon Web Services Key Management Service (AWS KMS) allows you to enable the creation of the data encryption key (DEK). Additionally, you can also encrypt and decrypt the data, and generate random bytes of data using the Key Management Gateway (KMGW) in the ESA.

To use the AWS KMS as a key store, the following permissions are required by the AWS user or role:

Configuring the ESA with Google Cloud KMS

Mon, 01 Jan 0001 00:00:00 +0000

Verifying the Prerequisites

Ensure that the following prerequisites are met before configuring the ESA with the Google Cloud KMS.

Authorization

The resources are organized into a hierarchy in the GCP Key Store. This hierarchy helps to manage and grant access to the resources at various levels of granularity. The scope of the role depends on the level of the resource hierarchy, where the role is granted to access the Google Cloud resources.

Configuring the ESA with Azure Key Vault Managed HSM

Mon, 01 Jan 0001 00:00:00 +0000

Verifying the Prerequisites

Ensure that the following prerequisites are met before configuring the ESA with the Azure Key Vault Managed HSM.

Configuring the Managed HSM

Protegrity supports the Managed HSM Key Vault type due to the presence of Get Random Bytes functionality, which is not available in the standard Key Vault.

Ensure that the Azure Managed HSM is already set up and activated on your system.

For more information about setting up an Azure Managed HSM, refer to Quickstart: Provision and activate a Managed HSM using Azure CLI.

Switching Key Stores

Mon, 01 Jan 0001 00:00:00 +0000

Verify individual vendor’s requirement

When using a Key Store (HSM) provided by a specific vendor, consult the vendor to ensure that the infrastructure in place can handle any issues with the Key Store. Issues can include data loss or breakdowns. With the required measures in place, minimal impact to the business critical data and the involved processes can be ensured. Ensure that you follow the best practices specified by the vendor for business continuity.

Troubleshooting

Mon, 01 Jan 0001 00:00:00 +0000

The following section provides information about errors that are related to HSM integration with the ESA and the steps to resolve the errors.

Known Error or Problem: When you try to switch to an HSM, the switch fails.

This may happen because:

The HSM does not support or allow the type of key that is used.

Recovery:

Verify that the HSM supports creating secret keys with the following attributes:
- CKA_PRIVATE: TRUE
- CKA_SENSITIVE: TRUE
- CKA_EXTRACTABLE: FALSE
- CKA_ENCRYPT: TRUE
- CKA_DECRYPT: TRUE
- CKA_MODIFIABLE: FALSE
- CKA_WRAP: TRUE
- CKA_UNWRAP: TRUE
- CKA_DERIVE: FALSE
- CKA_SIGN: FALSE
- CKA_VERIFY: FALSE

TAC Replication of Key Store-specific Files and Certificates

Mon, 01 Jan 0001 00:00:00 +0000

A Trusted Appliances cluster (TAC) is a tool, where appliances such as the ESA replicate and maintain information. A trusted channel is created to transfer data between the appliances in a cluster. This section describes the steps that must be followed for replication of the Key Store-specific files and certificates in a TAC. In addition, it also explains the measures you must take while performing a replication without the Key Store files and certificates.