IBM Cloud Satellite: Build faster. Securely. Anywhere. Read more

Build and configure HashiCorp Vault on IBM Cloud Hyper Protect Virtual Server

IBM Cloud® Hyper Protect Virtual Servers are built on IBM Secure Service Container (SSC) technology available on the IBM LinuxONE platform. Logical Partitions created on the LinuxONE, called as SSC-LPARs, provide EAL5+ isolation, while the Hyper Protect Virtual Server that runs on an SSC-LPAR provides EAL4 isolation capabilities.

SSC Technology is the cornerstone of the IBM Cloud Hyper Protect Crypto Services (HPCS) that provides access to industry’s one-and-only FIPS 140-2 Level 4 Hardware Security Module (HSM). Access to the HSM is now available from Hyper Protect Crypto Services using the Public Key Cryptography Standard (PKCS) #11 library (see Resources in the right column for more information).

Hyper Protect Virtual Servers can also be implemented on premises in a customer datacenter. For more details, check IBM Hyper Protect Virtual Servers

Figure 1 illustrates the isolation capabilities of the SSC-LPARs on the IBM LinuxONE platform.

Figure 1. IBM LinuxONE SSC-LPAR Technology

IBM Cloud Hyper Protect Virtual Servers

Figure 2 illustrates how Hyper Protect Virtual Server leverages the SSC technology available on LinuxONE to create virtual servers that provide true isolation and are walled-off completely to run workloads with sensitive data and business IP in the cloud.

Figure 2. Hyper Protect Virtual Servers built with SSC Technology

IBM Cloud Hyper Protect Virtual Servers

HashiCorp Vault is used widely in the industry to secure, store, and tightly control access to tokens, passwords, certificates, and encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API. The use cases for Vault include secret management, a primary requirement for FinTech, HealthTech, InsurTech, and other regulated industries where security and auditability of access to resources is of utmost importance. Hashicorp Vault is the industry leading application/service to centrally store, access, and deploy secrets across applications, systems, and infrastructure in a dynamic environment.

Figure 3 illustrates how the security provided by the Hyper Protect Virtual Server platform can be combined with the popular HashiCorp Vault to bring effective secret management to the LinuxONE-based Hyper Protect platform.

Figure 3. Vault on Hyper Protect Virtual Server

Vault on Hyper Protect Virtual Server

Learning objectives

This tutorial provides step-by-step instructions on how to build Hashicorp Vault on the Hyper Protect Virtual Server (s390x) platform, and provides insight into how the security of the Hashicorp Master Key can be enhanced by using IBM Cloud Hyper Protect Crypto Services.

Prerequisites

Estimated time

It should take you about 30 minutes to complete this tutorial.

Steps

Step 1. Preparation

  • Open a Terminal session with your Hyper Protect Virtual Server instance using your SSH private key:
    ssh root@<hpvs-public-ip> -t <path-to-ssh-private-key>
    
  • Install the packages:
    apt update && apt install -y wget git gcc make
    
  • Set up your environment variables:
    export GOPATH=$HOME/go
    export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
    
  • Restart your terminal session for the environment variables to take effect.
  • Download Go. The recommended version at the time of publication is:
    wget https://dl.google.com/go/go1.14.7.linux-s390x.tar.gz
    
  • Install Go:
    tar -C /usr/local -xzf go1.14.7.linux-s390x.tar.gz
    
  • Install gox:
    go get github.com/mitchellh/gox
    
  • Move gox to GO-PATH:
    mv ~/go/bin/gox /usr/local/go/bin
    

Step 2. Build the Vault binary for s390x

  • Create the shell script build-vault.sh using this sample: build-vault.sh.
  • Run the shell script:
    build-vault.sh
    

Step 3. Configure Vault

  • Create the required directory structure:
    mkdir -p /etc/vault
    mkdir -p /etc/vault-data
    mkdir -p /tmp/vault-logs
    
  • Create the Vault configuration file, /etc/vault/config.hcl. Select from one of the sample configuration files:
Use Case Configuration Sample
Vault with NO HSM and Local Backend Storage vault-conf-noHSM-local.hcl
Vault with HPCS-HSM and Local Backend Storage vault-conf-hpcs-local.hcl
Vault with HPCS-HSM and COS Backend Storage vault-conf-hpcs-cos.hcl

Note: For COS access, you’ll have to create an HMAC-Key to fill out the access-keys (see Resources for more information). For Hyper Protect Crypto Services access, you’ll have to update the API-Key.

  • Start the Vault server with the correct configuration file:
    vault server -config=/etc/vault/vault-conf-noHSM-local.hcl
    

Summary

HashiCorp Vault facilitates the management of hundreds and thousands of secrets like passwords, certificates, and encryption keys. But the security of all the information within HashiCorp data structures is dependant on the HashiCorp master key. So how can you further improve the security of the environment?

To secure the master key, HashiCorp Vault can be integrated with an HSM backend. This requires Enterprise-Vault which allows Vault to use PKCS #11 calls to Hyper Protect Crypto Services. This integration provides the following functionality:

  • Master key wrapping
  • Automatic unsealing
  • Seal wrapping

Note: IBM Cloud Hyper Protect Crypto Services provides access to the only cloud-based FIPS 140-2 Level 4 HSM.

Figure 4 illustrates how the security of the Hashicorp Master Key can be enhanced with a FIPS 140-2 Level 4 Cloud Based HSM Technology provided by IBM Cloud Hyper Protect Crypto Services.

Figure 4. HashiCorp Vault with Hyper Protect Crypto Services as the HSM backend

Vault HSM Interaction

For more details on the material covered in this tutorial, see the Resources in the right-hand column or visit the IBM Hyper Protect developer content hub.