The hardware security module (HSM) is a physical computing device that safeguards and manages digital keys, performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions.
In Fabric, HSM protects your private keys and handles cryptographic operations, allowing peer and orderer nodes to sign and endorse transactions without exposing their private keys.
Let’s see the benefits of using HSM to store private keys and how can we configure vendor HSM.
Benefits of using HSM
HSMs delivers the highest level of security because the usage of cryptographic keys is always performed in hardware.
The HSMs are secure and tamper resistant devices to protect the stored keys.
No whole key can be extracted or exported from an HSM in a readable format.
HSMs have dedicated and powerful crypto processors which can simultaneously carry out thousands of crypto operations.
Configuring vendor HSM
There are multiple options available when it comes to selecting a cloud based HSM service, we have configured HSM based service for Hyperledger Fabric offered by Thales.
Let’s walk through the steps to create an account on Thales and create HSM service on demand for Hyperledger Fabric.
Registering with Thales
Go to Thales marketplace. https://cpl.thalesgroup.com/encryption/data-protection-on-demand/marketplace
Select datacenter region, we went ahead with North America and registered for 30 days free trial. This is an added advantage provided by Thales wherein it lets you try out and experiment with HSM service for free, before making purchase.
Fill in the details and register. Once successfully registered it will land you on login page.
On successful login it will redirect to setup multifactor authentication. It uses the Google Authenticator App for verification. Download the App and scan the QR code displayed on screen.
Once setup is done, enter the 6-digit code displayed on Google authenticator app and click on verify.
Verify email id.
Login and create HSM service
Step 5: Once email id is verified, login to Thales account and go to services tab.
Click on Add new services.
Select HSM on Demand for Hyperledger Fabric tile, click on try service.
If you have created a trial account, you will be limited to create only 2 services.
Create HSM on Demand for Hyperledger Fabric services and for easy reference name them as per the organization for which the HSM is being setup.
We have set this up for :
For each service create a client with the same name and download the zip to the host machine.
Execute the following command to create the service directories on the host machine.
mkdir -p /etc/hyperledger/fabric/dpod/orderer.example.com
mkdir -p /etc/hyperledger/fabric/dpod/org1.example.com
Unzip the 2 clients in their respective directories
Follow https://thalesdocs.com/dpod/services/hsmod_services/hsmod_linux_client/index.html to initialize the service, Crypto Officer and Crypto User roles on each of the services.
- DPoD: unable to initialize XTC
Solution is to synchronize client host with a NTP server and re-attempt a connection to your service.
If above does not work, alternatively run below command on the host to fix the issue.
sudo date -s “$(wget -qSO- — max-redirect=0 google.com 2>&1 | grep Date: | cut -d’ ‘ -f5–8)Z”.