Hardware Security Modules (HSMs) are optional with the Appliance, and provide an additional level of security in managing cryptogrpaphic keys. The Appliance supports a limited set of off-cloud HSMs, and does not support current cloud HSMs.
When HSMs are integrated with the Key Servers, master secrets for the security district—used to derive all cryptographic keys for that security district—are always encrypted by the HSMs. This
means that keys for that security district cannot be derived without connection to those HSMs. When HSMs are not used, master secrets are stored in the configuration database, encrypted by a Field Encryption Key (FEK).
In off-cloud, non-HSM deployments, FEKs are stored on the file system, meaning that a copy of the file system, VM, or container is sufficient to set up a Key Server that can derive cryptographic keys.
With supported cloud service providers (CSP), the FEK is stored in a native cloud key vault, with access controlled by appropriate cloud security administrators. This prevents an attacker using a copy of the file system, VM, or container to decrypt the configuration database and derive keys, because they will have no access to the FEK in the CSP’s key vault.
However, this does not provide total protection from attack. DPP administrators must be able to back up the configuration, including the Key Server, any time a configuration change is made, to allow recovery if the systems running the Key Servers are lost. This backup is initiated from the Management Console, and protected by a password, which the administrator records for use should a restore become necessary. Because Appliances can be used in a combination of off-cloud installation and one or more CSPs, such a backup must be usable on a system with no access to the cloud key vault, even if the backup was initiated from a cloud instance. This means that an attacker with a backup from a Management Console (and the password used for that backup) can use that backup to set up their own Key Servers and has the potential to derive customer keys.
When an HSM is in use, however, the master secrets are protected by the HSM, and are not directly available in the backup. Without access to the configured HSM, a Key Server, built from a backup obtained by an attacker, cannot be used to derive keys for those HSM-protected districts.
Because an HSM provides this additional level of protection, it is recommended, especially for cloud deployments, to use an HSM with DPP Appliance(s). If an HSM is not used, customers must implement strict protocols to reduce the risk of an attacker gaining access to a backup (and password).