To use an HSM with your Fabric node, you need to update the bccsp
(Crypto ServiceProvider) section of the node configuration file such as core.yaml ororderer.yaml. In the bccsp
section, you need to select PKCS11 as the provider andenter the path to the PKCS11 library that you would like to use. You also needto provide the Label
and PIN
of the token that you created for your cryptographicoperations. You can use one token to generate and store multiple keys.
The prebuilt Hyperledger Fabric Docker images are not enabled to use PKCS11. Ifyou are deploying Fabric using docker, you need to build your own images andenable PKCS11 using the following command:
You also need to ensure that the PKCS11 library is available to be used by thenode by installing it or mounting it inside the container.
Example¶
The following example demonstrates how to configure a Fabric node to use an HSM.
First, you will need to install an implementation of the PKCS11 interface. Thisexample uses the softhsm open sourceimplementation. After downloading and configuring softhsm, you will need to setthe SOFTHSM2_CONF environment variable to point to the softhsm2 configurationfile.
You can then use softhsm to create the token that will handle the cryptographicoperations of your Fabric node inside an HSM slot. In this example, we create atoken labelled «fabric» and set the pin to «71811222». After you have createdthe token, update the configuration file to use PKCS11 and your token as thecrypto service provider. You can find an example bccsp
section below:
############################################################################## BCCSP (BlockChain Crypto Service Provider) section is used to select which# crypto library implementation to use#############################################################################bccsp: default: PKCS11 pkcs11: Library: /etc/hyperledger/fabric/libsofthsm2.so Pin: "71811222" Label: fabric hash: SHA2 security: 256 Immutable: false
By default, when private keys are generated using the HSM, the private key is mutable, meaning PKCS11 private key attributes can be changed after the key is generated. Setting Immutable
to true
means that the private key attributes cannot be altered after key generation. Before you configure immutability by setting Immutable: true
, ensure that PKCS11 object copy is supported by the HSM.
You can also use environment variables to override the relevant fields of the configuration file. If you are connecting to softhsm2 using the Fabric CA server, you could set the following environment variables or directly set the corresponding values in the CA server config file:
FABRIC_CA_SERVER_BCCSP_DEFAULT=PKCS11FABRIC_CA_SERVER_BCCSP_PKCS11_LIBRARY=/etc/hyperledger/fabric/libsofthsm2.soFABRIC_CA_SERVER_BCCSP_PKCS11_PIN=71811222FABRIC_CA_SERVER_BCCSP_PKCS11_LABEL=fabric
If you are connecting to softhsm2 using the Fabric peer, you could set the following environment variables or directly set the corresponding values in the peer config file:
CORE_PEER_BCCSP_DEFAULT=PKCS11CORE_PEER_BCCSP_PKCS11_LIBRARY=/etc/hyperledger/fabric/libsofthsm2.soCORE_PEER_BCCSP_PKCS11_PIN=71811222CORE_PEER_BCCSP_PKCS11_LABEL=fabric
If you are connecting to softhsm2 using the Fabric orderer, you could set the following environment variables or directly set the corresponding values in the orderer config file:
ORDERER_GENERAL_BCCSP_DEFAULT=PKCS11ORDERER_GENERAL_BCCSP_PKCS11_LIBRARY=/etc/hyperledger/fabric/libsofthsm2.soORDERER_GENERAL_BCCSP_PKCS11_PIN=71811222ORDERER_GENERAL_BCCSP_PKCS11_LABEL=fabric
If you are deploying your nodes using docker compose, after building your ownimages, you can update your docker compose files to mount the softhsm libraryand configuration file inside the container using volumes. As an example, youwould add the following environment and volumes variables to your docker composefile:
environment: - SOFTHSM2_CONF=/etc/hyperledger/fabric/config.file volumes: - /home/softhsm/config.file:/etc/hyperledger/fabric/config.file - /usr/local/Cellar/softhsm/2.1.0/lib/softhsm/libsofthsm2.so:/etc/hyperledger/fabric/libsofthsm2.so
FAQs
Hardware security modules (HSMs) are hardened, tamper-resistant hardware devices that secure cryptographic processes by generating, protecting, and managing keys used for encrypting and decrypting data and creating digital signatures and certificates.
What is HSM master key? ›
A master key encrypts all private keys and passwords on the firewall and Panorama. If you have security requirements to store your private keys in a secure location, you can encrypt the master key using an encryption key that is stored on an HSM.
How to use an HSM? ›
Using an HSM with your own CA
Configure your CA to communicate with an HSM using PKCS11 and create a Label and PIN . Then use your CA to generate the private key and signing certificate for each node, with the private key generated inside the HSM. Use your CA to build the peer or ordering node MSP folder.
Which IBM Cloud solution provides dedicated services and hardware security modules HSMs to manage encryption keys? ›
IBM Cloud® Hyper Protect Crypto Services is a dedicated key management service and Hardware Security Module (HSM)A physical appliance that provides on-demand encryption, key management, and key storage as a managed service.
Why is HSM used? ›
A hardware security module (HSM) is a physical device that provides extra security for sensitive data. This type of device is used to provision cryptographic keys for critical functions such as encryption, decryption and authentication for the use of applications, identities and databases.
Why do you need HSM? ›
What is a HSM? HSM stands for Hardware Security Module, and is a very secure dedicated hardware for securely storing cryptographic keys. It can encrypt, decrypt, create, store and manage digital keys, and be used for signing and authentication. The purpose is to safeguard and protect sensitive data.
What does a master master key look like? ›
A master key will look like any other key within a master key system. It will be the same size and same basic shape. Only the cuts will differentiate it, unless it is stamped with identifying alphanumeric characters, like “GGM” or “GM” or “A”.
What are the two types of HSM? ›
Types of Hardware Security Modules (HSMs)
There are two primary types of HSMs: general purpose and payment hardware security modules.
What are the keys used in HSM? ›
LMKs are the only keys that are stored in the HSM. LMKs are not used for encrypting data, but are instead used to encrypt and decrypt other keys as these enter or leave the HSM.
What are the risks of not using HSM? ›
Without HSMs, encryption keys are stored on servers or other devices that can be compromised, leading to security breaches and loss of sensitive data.
Configure the firewall to connect to the HSM partition.
- Setup. HSM. and refresh ( ) the display.
- Setup HSM Partition. (Hardware Security Operations settings).
- Enter the. Partition Password. to authenticate the firewall to the partition on the HSM.
- Click. OK. .
What does HSM stand for? ›
Hardware Security Modules (HSMs) are hardened, tamper-resistant hardware devices that strengthen encryption practices by generating keys, encrypting and decrypting data, and creating and verifying digital signatures.
What is the difference between hardware security module HSM and key management service KMS? ›
HSM devices are responsible for these controls, providing a secure foundation for cryptographic materials. In contrast, KMS servers control the entire lifecycle of cryptographic keys and securely handling key distribution for both inbound and outbound requests.
Which service uses a hardware security module to protect encryption keys in the cloud? ›
Cloud HSM is a cloud-hosted Hardware Security Module (HSM) service that allows you to host encryption keys and perform cryptographic operations in a cluster of FIPS 140-2 Level 3 certified HSMs.
Which of the following functions can be performed by a hardware security module HSM? ›
A hardware security module is a tamper and intrusion-resistant, highly-trusted physical device that performs all major cryptographic operations, including encryption, decryption, authentication, key management and key exchange. The sole purpose of an HSM is to conceal and protect cryptographic data.
What is general purpose HSMs? ›
General Purpose HSMs Solution
It provides a secure solution for generating encryption and signing keys, creating digital signatures, encrypting data, and more. These HSMs are available in three FIPS 140-2 certified form factors and support a variety of deployment scenarios.
What is the difference between Hardware Security Module HSM and TPM? ›
TPM and HSM both protect your cryptographic keys from unauthorized access and tampering. TPM stores keys securely within your device, while HSM offers dedicated hardware for key storage, management, backup, and separation of access control.
What is the use case of HSM? ›
HSMs are physical devices that perform cryptographic operations such as key generation and storage, identities and database management, key exchange and encryption, and decryption to ensure the safety of business secrets.
What is the purpose of implementing a hardware-based security module in IoT devices? ›
Because easily accessible IoT devices are vulnerable to physical attacks, tamper-resistant hardware security modules are required to secure information, such as cryptographic keys and operations like data encryption or PIN verification.