IBM Cloud® Hyper Protect Virtual Servers are built on IBM Secure Service Container (SSC) technology available on the IBM LinuxONE platform. Logical Partitions created on the LinuxONE, called as SSC-LPARs, provide EAL5+ isolation, while the Hyper Protect Virtual Server that runs on an SSC-LPAR provides EAL4 isolation capabilities.
SSC Technology is the cornerstone of the IBM Cloud Hyper Protect Crypto Services (HPCS) that provides access to industry’s one-and-only FIPS 140-2 Level 4 Hardware Security Module (HSM). Access to the HSM is now available from Hyper Protect Crypto Services using the Public Key Cryptography Standard (PKCS) #11 library (see Resources in the right column for more information).
Hyper Protect Virtual Servers can also be implemented on premises in a customer datacenter. For more details, check IBM Hyper Protect Virtual Servers
Figure 1 illustrates the isolation capabilities of the SSC-LPARs on the IBM LinuxONE platform.
Figure 1. IBM LinuxONE SSC-LPAR Technology
Figure 2 illustrates how Hyper Protect Virtual Server leverages the SSC technology available on LinuxONE to create virtual servers that provide true isolation and are walled-off completely to run workloads with sensitive data and business IP in the cloud.
Figure 2. Hyper Protect Virtual Servers built with SSC Technology
HashiCorp Vault is used widely in the industry to secure, store, and tightly control access to tokens, passwords, certificates, and encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API. The use cases for Vault include secret management, a primary requirement for FinTech, HealthTech, InsurTech, and other regulated industries where security and auditability of access to resources is of utmost importance. Hashicorp Vault is the industry leading application/service to centrally store, access, and deploy secrets across applications, systems, and infrastructure in a dynamic environment.
Figure 3 illustrates how the security provided by the Hyper Protect Virtual Server platform can be combined with the popular HashiCorp Vault to bring effective secret management to the LinuxONE-based Hyper Protect platform.
Figure 3. Vault on Hyper Protect Virtual Server
Learning objectives
This tutorial provides step-by-step instructions on how to build Hashicorp Vault on the Hyper Protect Virtual Server (s390x) platform, and provides insight into how the security of the Hashicorp Master Key can be enhanced by using IBM Cloud Hyper Protect Crypto Services.
Prerequisites
- An IBM Cloud account: Sign in or create one at https://cloud.ibm.com.
- A Hyper Protect Virtual Server: Provision an instance at https://cloud.ibm.com/catalog/services/hyper-protect-virtual-server.
- A Hyper Protect Crypto Services instance: Provision an instance at https://cloud.ibm.com/catalog/services/hyper-protect-crypto-services#about.
- Make a note of the
instance-id. - Make a note of the EP11 endpoints including
Port#.
- Make a note of the
- Create an API key to access IBM Cloud resources with
ibmcliusing the procedure outlined at https://cloud.ibm.com/docs/account?topic=account-userapikey#create_user_key.
Estimated time
It should take you about 30 minutes to complete this tutorial.
Steps
Step 1. Preparation
- Open a Terminal session with your Hyper Protect Virtual Server instance using your SSH private key:
ssh root@<hpvs-public-ip> -t <path-to-ssh-private-key> - Install the packages:
apt update && apt install -y wget git gcc make - Set up your environment variables:
export GOPATH=$HOME/go export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin - Restart your terminal session for the environment variables to take effect.
- Download Go. The recommended version at the time of publication is:
wget https://dl.google.com/go/go1.14.7.linux-s390x.tar.gz - Install Go:
tar -C /usr/local -xzf go1.14.7.linux-s390x.tar.gz - Install gox:
go get github.com/mitchellh/gox - Move gox to GO-PATH:
mv ~/go/bin/gox /usr/local/go/bin
Step 2. Build the Vault binary for s390x
- Create the shell script
build-vault.shusing this sample: build-vault.sh. - Run the shell script:
build-vault.sh
Step 3. Configure Vault
- Create the required directory structure:
mkdir -p /etc/vault mkdir -p /etc/vault-data mkdir -p /tmp/vault-logs - Create the Vault configuration file,
/etc/vault/config.hcl. Select from one of the sample configuration files:
| Use Case | Configuration Sample |
|---|---|
| Vault with NO HSM and Local Backend Storage | vault-conf-noHSM-local.hcl |
| Vault with HPCS-HSM and Local Backend Storage | vault-conf-hpcs-local.hcl |
| Vault with HPCS-HSM and COS Backend Storage | vault-conf-hpcs-cos.hcl |
Note: For COS access, you’ll have to create an HMAC-Key to fill out the access-keys (see Resources for more information). For Hyper Protect Crypto Services access, you’ll have to update the API-Key.
- Start the Vault server with the correct configuration file:
vault server -config=/etc/vault/vault-conf-noHSM-local.hcl
Summary
HashiCorp Vault facilitates the management of hundreds and thousands of secrets like passwords, certificates, and encryption keys. But the security of all the information within HashiCorp data structures is dependant on the HashiCorp master key. So how can you further improve the security of the environment?
To secure the master key, HashiCorp Vault can be integrated with an HSM backend. This requires Enterprise-Vault which allows Vault to use PKCS #11 calls to Hyper Protect Crypto Services. This integration provides the following functionality:
- Master key wrapping
- Automatic unsealing
- Seal wrapping
Note: IBM Cloud Hyper Protect Crypto Services provides access to the only cloud-based FIPS 140-2 Level 4 HSM.
Figure 4 illustrates how the security of the Hashicorp Master Key can be enhanced with a FIPS 140-2 Level 4 Cloud Based HSM Technology provided by IBM Cloud Hyper Protect Crypto Services.
Figure 4. HashiCorp Vault with Hyper Protect Crypto Services as the HSM backend
For more details on the material covered in this tutorial, see the Resources in the right-hand column or visit the IBM Hyper Protect developer content hub.