HSM Integration
Learn more about integrating an HSM with Infisical KMS.
Changing the encryption strategy for your instance is an Enterprise-only feature. This section is intended for users who have obtained an Enterprise license and are on-premise.
Please reach out to [email protected] if you have any questions.
Overview
Infisical KMS currently supports two encryption strategies:
- Standard Encryption: This is the default encryption strategy used by Infisical KMS. It uses a software-protected encryption key to encrypt KMS keys within your Infisical instance. The root encryption key is defined by setting the
ENCRYPTION_KEY
environment variable. - Hardware Security Module (HSM): This encryption strategy uses a Hardware Security Module (HSM) to create a root encryption key that is stored on a physical device to encrypt the KMS keys within your instance.
Hardware Security Module (HSM)
Using a hardware security module comes with the added benefit of having a secure and tamper-proof device to store your encryption keys. This ensures that your data is protected from unauthorized access.
All encryption keys used for cryptographic operations are stored within the HSM. This means that if the HSM is lost or destroyed, you will no longer be able to decrypt your data stored within Infisical. Most providers offer recovery options for HSM devices, which you should consider when setting up an HSM device.
Enabling HSM encryption has a set of key benefits:
- Root Key Wrapping: The root KMS encryption key that is used to secure your Infisical instance will be encrypted using the HSM device rather than the standard software-protected key.
- FIPS 140-2/3 Compliance: Using an HSM device ensures that your Infisical instance is FIPS 140-2 or FIPS 140-3 compliant. For FIPS 140-3, ensure that your HSM is FIPS 140-3 validated.
Caveats
- Performance: Using an HSM device can have a performance impact on your Infisical instance. This is due to the additional latency introduced by the HSM device. This is however only noticeable when your instance(s) start up or when the encryption strategy is changed.
- Key Recovery: If the HSM device is lost or destroyed, you will no longer be able to decrypt your data stored within Infisical. Most HSM providers offer recovery options, which you should consider when setting up an HSM device.
Requirements
- An Infisical instance with a version number that is equal to or greater than
v0.91.0
. - If you are using Docker, your instance must be using the
infisical/infisical-fips
image. - An HSM device from a provider such as Thales Luna HSM, AWS CloudHSM, or others.
FIPS Compliance
FIPS, also known as the Federal Information Processing Standard, is a set of standards that are used to accredit cryptographic modules. FIPS 140-2 and FIPS 140-3 are the two most common standards used for cryptographic modules. If your HSM uses FIPS 140-3 validated hardware, Infisical will automatically be FIPS 140-3 compliant. If your HSM uses FIPS 140-2 validated hardware, Infisical will be FIPS 140-2 compliant.
HSM devices are especially useful for organizations that operate in regulated industries such as healthcare, finance, and government, where data security and compliance are of the utmost importance.
For organizations that work with US government agencies, FIPS compliance is almost always a requirement when dealing with sensitive information. FIPS compliance ensures that the cryptographic modules used by the organization meet the security requirements set by the US government.
Setup Instructions
Setting up an HSM Device
To set up HSM encryption, you need to configure an HSM provider and HSM key. The HSM provider is used to connect to the HSM device, and the HSM key is used to encrypt Infisical’s KMS keys. We recommend using a Cloud HSM provider such as Thales Luna HSM or AWS CloudHSM.
You need to follow the instructions provided by the HSM provider to set up the HSM device. Once the HSM device is set up, the HSM device can be used within Infisical.
After setting up the HSM from your provider, you will have a set of files that you can use to access the HSM. These files need to be present on the machine where Infisical is running. If you are using containers, you will need to mount the folder where these files are stored as a volume in the container.
The setup process for an HSM device varies depending on the provider. We have created a guide for Thales Luna Cloud HSM, which you can find below.
Configure HSM on Infisical
Are you using Docker or Kubernetes for your deployment? If you are using Docker or Kubernetes, please follow the instructions in the Using HSM’s in your Deployment section.
Configuring the HSM on Infisical requires setting a set of environment variables:
HSM_LIB_PATH
: The path to the PKCS#11 library provided by the HSM provider. This usually comes in the form of a.so
for Linux and MacOS, or a.dll
file for Windows. For Docker, you need to mount the library path as a volume. Further instructions can be found below. If you are using Docker, make sure to set the HSM_LIB_PATH environment variable to the path where the library is mounted in the container.HSM_PIN
: The PKCS#11 PIN to use for authentication with the HSM device.HSM_SLOT
: The slot number to use for the HSM device. This is typically between0
and5
for most HSM devices.HSM_KEY_LABEL
: The label of the key to use for encryption. Please note that if no key is found with the provided label, the HSM will create a new key with the provided label.
You can read more about the default instance configurations here.
Restart Instance
After setting up the HSM, you need to restart the Infisical instance for the changes to take effect.
Navigate to the Server Admin Console
Update the KMS Encryption Strategy to HSM
Once you press the ‘Save’ button, your Infisical instance will immediately switch to the HSM encryption strategy. This will re-encrypt your KMS key with keys from the HSM device.
Verify Encryption Strategy
To verify that the HSM was correctly configured, you can try creating a new secret in one of your projects. If the secret is created successfully, the HSM is now being used for encryption.
Using HSMs In Your Deployment
When using Docker, you need to mount the path containing the HSM client files. This section covers how to configure your Infisical instance to use an HSM with Docker.
Create HSM client folder
When using Docker, you are able to set your HSM library path to any location on your machine. In this example, we are going to be using /etc/luna-docker
.
After setting up your Luna Cloud HSM client, you should have a set of files, referred to as the HSM client. You don’t need all the files, but for simplicity we recommend copying all the files from the client.
A folder structure of a client folder will often look like this:
The most important parts of the client folder is the Chrystoki.conf
file, and the libs
, plugins
, and jsp
folders. You need to copy these files to the folder you created in the first step.
Update Chrystoki.conf
The Chrystoki.conf
file is used to configure the HSM client. You need to update the Chrystoki.conf
file to point to the correct file paths.
In this example, we will be mounting the /etc/luna-docker
folder to the Docker container under a different path. The path we will use in this example is /usr/safenet/lunaclient
. This means /etc/luna-docker
will be mounted to /usr/safenet/lunaclient
in the Docker container.
An example config file will look like this:
Save the file after updating the paths.
Run Docker
Running Docker with HSM encryption requires setting the HSM-related environment variables as mentioned previously in the HSM setup instructions. You can set these environment variables in your Docker run command.
We are setting the environment variables for Docker via the command line in this example, but you can also pass in a .env
file to set these environment variables.
If no key is found with the provided key label, the HSM will create a new key with the provided label.
Infisical depends on an AES and HMAC key to be present in the HSM. If these keys are not present, Infisical will create them. The AES key label will be the value of the HSM_KEY_LABEL
environment variable, and the HMAC key label will be the value of the HSM_KEY_LABEL
environment variable with the suffix _HMAC
.
We recommend reading further about using Infisical with Docker.
After following these steps, your Docker setup will be ready to use HSM encryption.
Create HSM client folder
When using Docker, you are able to set your HSM library path to any location on your machine. In this example, we are going to be using /etc/luna-docker
.
After setting up your Luna Cloud HSM client, you should have a set of files, referred to as the HSM client. You don’t need all the files, but for simplicity we recommend copying all the files from the client.
A folder structure of a client folder will often look like this:
The most important parts of the client folder is the Chrystoki.conf
file, and the libs
, plugins
, and jsp
folders. You need to copy these files to the folder you created in the first step.
Update Chrystoki.conf
The Chrystoki.conf
file is used to configure the HSM client. You need to update the Chrystoki.conf
file to point to the correct file paths.
In this example, we will be mounting the /etc/luna-docker
folder to the Docker container under a different path. The path we will use in this example is /usr/safenet/lunaclient
. This means /etc/luna-docker
will be mounted to /usr/safenet/lunaclient
in the Docker container.
An example config file will look like this:
Save the file after updating the paths.
Run Docker
Running Docker with HSM encryption requires setting the HSM-related environment variables as mentioned previously in the HSM setup instructions. You can set these environment variables in your Docker run command.
We are setting the environment variables for Docker via the command line in this example, but you can also pass in a .env
file to set these environment variables.
If no key is found with the provided key label, the HSM will create a new key with the provided label.
Infisical depends on an AES and HMAC key to be present in the HSM. If these keys are not present, Infisical will create them. The AES key label will be the value of the HSM_KEY_LABEL
environment variable, and the HMAC key label will be the value of the HSM_KEY_LABEL
environment variable with the suffix _HMAC
.
We recommend reading further about using Infisical with Docker.
After following these steps, your Docker setup will be ready to use HSM encryption.
When using Docker, you need to mount the path containing the HSM client files. This section covers how to configure your Infisical instance to use an HSM with Docker.
Create HSM client folder
When using Docker, you are able to set your HSM library path to any location on your machine. In this example, we are going to be using /etc/luna-docker
.
After setting up your Luna Cloud HSM client, you should have a set of files, referred to as the HSM client. You don’t need all the files, but for simplicity we recommend copying all the files from the client.
A folder structure of a client folder will often look like this:
The most important parts of the client folder is the Chrystoki.conf
file, and the libs
, plugins
, and jsp
folders. You need to copy these files to the folder you created in the first step.
Update Chrystoki.conf
The Chrystoki.conf
file is used to configure the HSM client. You need to update the Chrystoki.conf
file to point to the correct file paths.
In this example, we will be mounting the /etc/luna-docker
folder to the Docker container under a different path. The path we will use in this example is /usr/safenet/lunaclient
. This means /etc/luna-docker
will be mounted to /usr/safenet/lunaclient
in the Docker container.
An example config file will look like this:
Save the file after updating the paths.
Run Docker
Running Docker with HSM encryption requires setting the HSM-related environment variables as mentioned previously in the HSM setup instructions. You can set these environment variables in your Docker run command.
We are setting the environment variables for Docker via the command line in this example, but you can also pass in a .env
file to set these environment variables.
If no key is found with the provided key label, the HSM will create a new key with the provided label.
Infisical depends on an AES and HMAC key to be present in the HSM. If these keys are not present, Infisical will create them. The AES key label will be the value of the HSM_KEY_LABEL
environment variable, and the HMAC key label will be the value of the HSM_KEY_LABEL
environment variable with the suffix _HMAC
.
We recommend reading further about using Infisical with Docker.
After following these steps, your Docker setup will be ready to use HSM encryption.
Create HSM client folder
When using Docker, you are able to set your HSM library path to any location on your machine. In this example, we are going to be using /etc/luna-docker
.
After setting up your Luna Cloud HSM client, you should have a set of files, referred to as the HSM client. You don’t need all the files, but for simplicity we recommend copying all the files from the client.
A folder structure of a client folder will often look like this:
The most important parts of the client folder is the Chrystoki.conf
file, and the libs
, plugins
, and jsp
folders. You need to copy these files to the folder you created in the first step.
Update Chrystoki.conf
The Chrystoki.conf
file is used to configure the HSM client. You need to update the Chrystoki.conf
file to point to the correct file paths.
In this example, we will be mounting the /etc/luna-docker
folder to the Docker container under a different path. The path we will use in this example is /usr/safenet/lunaclient
. This means /etc/luna-docker
will be mounted to /usr/safenet/lunaclient
in the Docker container.
An example config file will look like this:
Save the file after updating the paths.
Run Docker
Running Docker with HSM encryption requires setting the HSM-related environment variables as mentioned previously in the HSM setup instructions. You can set these environment variables in your Docker run command.
We are setting the environment variables for Docker via the command line in this example, but you can also pass in a .env
file to set these environment variables.
If no key is found with the provided key label, the HSM will create a new key with the provided label.
Infisical depends on an AES and HMAC key to be present in the HSM. If these keys are not present, Infisical will create them. The AES key label will be the value of the HSM_KEY_LABEL
environment variable, and the HMAC key label will be the value of the HSM_KEY_LABEL
environment variable with the suffix _HMAC
.
We recommend reading further about using Infisical with Docker.
After following these steps, your Docker setup will be ready to use HSM encryption.
When you are deploying Infisical with the Kubernetes self-hosting option, you can still use HSM encryption, but you need to ensure that the HSM client files are present in the container.
This is only supported on helm chart version 1.4.1
and above. Please see the Helm Chart Changelog for more information.
Create HSM client folder
When using Kubernetes, you need to mount the path containing the HSM client files. This section covers how to configure your Infisical instance to use an HSM with Kubernetes.
After setting up your Luna Cloud HSM client, you should have a set of files, referred to as the HSM client. You don’t need all the files, but for simplicity we recommend copying all the files from the client.
A folder structure of a client folder will often look like this:
The most important parts of the client folder is the Chrystoki.conf
file, and the libs
, plugins
, and jsp
folders. You need to copy these files to the folder you created in the first step.
Update Chrystoki.conf
The Chrystoki.conf
file is used to configure the HSM client. You need to update the Chrystoki.conf
file to point to the correct file paths.
In this example, we will be mounting the /etc/hsm-client
folder from the host to containers in our deployment’s pods at the path /hsm-client
. This means the contents of /etc/hsm-client
on the host will be accessible at /hsm-client
within the containers.
An example config file will look like this:
Save the file after updating the paths.
Creating Persistent Volume Claim (PVC)
You need to create a Persistent Volume Claim (PVC) to mount the HSM client files to the Infisical deployment.
The above command will create a PVC named infisical-data-pvc
with a storage size of 500Mi
. You can change the storage size if needed.
Next we need to create a temporary pod with the PVC mounted as a volume, allowing us to copy the HSM client files into this mounted storage.
The above command will create a pod named hsm-setup-pod
with a busybox image. The pod will sleep for 3600 seconds (one hour), which is enough time to upload the HSM client files to the PVC.
Ensure that the pod is running and is healthy by running the following command:
Next we need to copy the HSM client files into the PVC.
Finally, we are ready to delete the temporary pod, as we have successfully uploaded the HSM client files to the PVC. This step may take a few minutes to complete.
Updating your environment variables
Next we need to update the environment variables used for the deployment. If you followed the setup instructions for Kubernetes deployments, you should have a Kubernetes secret called infisical-secrets
.
We need to update the secret with the following environment variables:
HSM_LIB_PATH
- The path to the HSM client library (mapped to/hsm-client/libs/64/libCryptoki2.so
)HSM_PIN
- The PIN for the HSM device that you created when setting up your Luna Cloud HSM clientHSM_SLOT
- The slot number for the HSM device that you selected when setting up your Luna Cloud HSM clientHSM_KEY_LABEL
- The label for the HSM key. If no key is found with the provided key label, the HSM will create a new key with the provided label.
The following is an example of the secret that you should update:
Save the file after updating the environment variables, and apply the secret changes
Updating the Deployment
After we’ve successfully configured the PVC and updated our environment variables, we are ready to update the deployment configuration so that the pods it creates can access the HSM client files.
We need to update the Docker image of the deployment to use infisical/infisical-fips
. The infisical/infisical-fips
image is a functionally identical image to the infisical/infisical
image, but it is built with support for HSM encryption.
Upgrading the Helm Chart
After updating the values.yaml file, you need to upgrade the Helm chart in order for the changes to take effect.
Restarting the Deployment
After upgrading the Helm chart, you need to restart the deployment in order for the changes to take effect.
After following these steps, your Kubernetes setup will be ready to use HSM encryption.
This is only supported on helm chart version 1.4.1
and above. Please see the Helm Chart Changelog for more information.
Create HSM client folder
When using Kubernetes, you need to mount the path containing the HSM client files. This section covers how to configure your Infisical instance to use an HSM with Kubernetes.
After setting up your Luna Cloud HSM client, you should have a set of files, referred to as the HSM client. You don’t need all the files, but for simplicity we recommend copying all the files from the client.
A folder structure of a client folder will often look like this:
The most important parts of the client folder is the Chrystoki.conf
file, and the libs
, plugins
, and jsp
folders. You need to copy these files to the folder you created in the first step.
Update Chrystoki.conf
The Chrystoki.conf
file is used to configure the HSM client. You need to update the Chrystoki.conf
file to point to the correct file paths.
In this example, we will be mounting the /etc/hsm-client
folder from the host to containers in our deployment’s pods at the path /hsm-client
. This means the contents of /etc/hsm-client
on the host will be accessible at /hsm-client
within the containers.
An example config file will look like this:
Save the file after updating the paths.
Creating Persistent Volume Claim (PVC)
You need to create a Persistent Volume Claim (PVC) to mount the HSM client files to the Infisical deployment.
The above command will create a PVC named infisical-data-pvc
with a storage size of 500Mi
. You can change the storage size if needed.
Next we need to create a temporary pod with the PVC mounted as a volume, allowing us to copy the HSM client files into this mounted storage.
The above command will create a pod named hsm-setup-pod
with a busybox image. The pod will sleep for 3600 seconds (one hour), which is enough time to upload the HSM client files to the PVC.
Ensure that the pod is running and is healthy by running the following command:
Next we need to copy the HSM client files into the PVC.
Finally, we are ready to delete the temporary pod, as we have successfully uploaded the HSM client files to the PVC. This step may take a few minutes to complete.
Updating your environment variables
Next we need to update the environment variables used for the deployment. If you followed the setup instructions for Kubernetes deployments, you should have a Kubernetes secret called infisical-secrets
.
We need to update the secret with the following environment variables:
HSM_LIB_PATH
- The path to the HSM client library (mapped to/hsm-client/libs/64/libCryptoki2.so
)HSM_PIN
- The PIN for the HSM device that you created when setting up your Luna Cloud HSM clientHSM_SLOT
- The slot number for the HSM device that you selected when setting up your Luna Cloud HSM clientHSM_KEY_LABEL
- The label for the HSM key. If no key is found with the provided key label, the HSM will create a new key with the provided label.
The following is an example of the secret that you should update:
Save the file after updating the environment variables, and apply the secret changes
Updating the Deployment
After we’ve successfully configured the PVC and updated our environment variables, we are ready to update the deployment configuration so that the pods it creates can access the HSM client files.
We need to update the Docker image of the deployment to use infisical/infisical-fips
. The infisical/infisical-fips
image is a functionally identical image to the infisical/infisical
image, but it is built with support for HSM encryption.
Upgrading the Helm Chart
After updating the values.yaml file, you need to upgrade the Helm chart in order for the changes to take effect.
Restarting the Deployment
After upgrading the Helm chart, you need to restart the deployment in order for the changes to take effect.
After following these steps, your Kubernetes setup will be ready to use HSM encryption.
Disabling HSM Encryption
To disable HSM encryption, navigate to Infisical’s Server Admin Console and set the KMS encryption strategy to Software-based Encryption
. This will revert the encryption strategy back to the default software-based encryption.
In order to disable HSM encryption, the Infisical instance must be able to access the HSM device. If the HSM device is no longer accessible, you will not be able to disable HSM encryption.
Was this page helpful?