Setting up of HSM service for Hyperledger Fabric

The hardware security module (HSM) is a physical computing device that safeguards and manages digital keys, performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions.

In Fabric, HSM protects your private keys and handles cryptographic operations, allowing peer and orderer nodes to sign and endorse transactions without exposing their private keys.

Let’s see the benefits of using HSM to store private keys and how can we configure vendor HSM.

Benefits of using HSM

HSMs delivers the highest level of security because the usage of cryptographic keys is always performed in hardware.

The HSMs are secure and tamper resistant devices to protect the stored keys.

No whole key can be extracted or exported from an HSM in a readable format.

HSMs have dedicated and powerful crypto processors which can simultaneously carry out thousands of crypto operations.

Configuring vendor HSM

There are multiple options available when it comes to selecting a cloud based HSM service, we have configured HSM based service for Hyperledger Fabric offered by Thales.

Let’s walk through the steps to create an account on Thales and create HSM service on demand for Hyperledger Fabric.

Registering with Thales

Step 1:

Go to Thales marketplace. https://cpl.thalesgroup.com/encryption/data-protection-on-demand/marketplace

Select datacenter region, we went ahead with North America and registered for 30 days free trial. This is an added advantage provided by Thales wherein it lets you try out and experiment with HSM service for free, before making purchase.

Step 2:

Fill in the details and register. Once successfully registered it will land you on login page.

On successful login it will redirect to setup multifactor authentication. It uses the Google Authenticator App for verification. Download the App and scan the QR code displayed on screen.

Step 3:

Once setup is done, enter the 6-digit code displayed on Google authenticator app and click on verify.

Step 4:

Verify email id.

Login and create HSM service

Step 5: Once email id is verified, login to Thales account and go to services tab.

Click on Add new services.

Step 6:

Select HSM on Demand for Hyperledger Fabric tile, click on try service.

If you have created a trial account, you will be limited to create only 2 services.

Step 7:

Create HSM on Demand for Hyperledger Fabric services and for easy reference name them as per the organization for which the HSM is being setup.

We have set this up for :

  • orderer.example.com
  • org1.example.com

For each service create a client with the same name and download the zip to the host machine.

Step 8:

Execute the following command to create the service directories on the host machine.

mkdir -p /etc/hyperledger/fabric/dpod/orderer.example.com

mkdir -p /etc/hyperledger/fabric/dpod/org1.example.com

Step 9:

Unzip the 2 clients in their respective directories

Step 10:

Follow https://thalesdocs.com/dpod/services/hsmod_services/hsmod_linux_client/index.html to initialize the service, Crypto Officer and Crypto User roles on each of the services.

Troubleshooting:

  1. DPoD: unable to initialize XTC

Solution is to synchronize client host with a NTP server and re-attempt a connection to your service.

If above does not work, alternatively run below command on the host to fix the issue.

sudo date -s “$(wget -qSO- — max-redirect=0 google.com 2>&1 | grep Date: | cut -d’ ‘ -f5–8)Z”.