HSM on a virtual host like Linode.com VPS

Good day,

Please suggest how to get private keys being stored in a hardware device like your Nitro HSM but on a virtual hosting like LInode.

Most likely Linode will not allow to post them a key and insert into their server but I think a smaller hosting company can accept such a challenge?

What is the idea behind networked HSM devices? How do they provide required level of security if on a Linux host there is no a hardware device like NitroKey/HSM? Are networked HSM devices only for LANs environments without MITM threats?

You will need to integrate the HSM on the application level. We do that with the PKI-as-a-Service Portal, where a SmartCard-HSM is connected from remote. This is done either statically (the remote device remain connected to the service) or dynamically (the remote device is connected as part of a user process).

We’ve implemented the necessary RAMoverHTTP protocol in the OpenSCDP ScriptingServer with a Java based client in OCF and a C-based client in sc-hsm-embedded. The principle is explained here.

You could also use USBIP to hook up a remote HSM to the virtual server, but that requires an additional layer of functionality. The beauty of the using the RAMoverHTTP approach is, that it uses secure messaging between the HSM and the server application for end-to-end confidentiality and integrity.

1 Like

@sanyo I haven’t tried it, but using p11-kit to forward the HSM through SSH should also fit your use case: Forwarding an HSM to remote EJBCA.

By the way, thanks for the tips @sc-hsm!