Not much blogging from my side the last 2 years, but now it´s finally time for a new post.
One of my last posts was about YubiHSM2 and the “ultra-small” form factor that provides a very useful HSM for a reasonable price. And I´ve used a number of thoose at customers that needed to increase the protection of their CA´s private keys. But all of those customers had their CA´s on dedicated hardware. And all customers with CA´s on virtual servers (VmWare and Hyper-V) have just placed their CA private keys in the file system.
But recently I´ve been in a couple of projects that needed HSM´s but were on VmWare. And network HSM´s were out of budget so to say. But according to Yubico the YubiHSM should work fine in a virtual environment. So we installed a CA with a YubiHSM2 and it simply did not work. The connector service hung every now and then when accessing the HSM. We managed to install a CA but when enrolling certificates the service hung. And talking to to Yubico´s excellent, but sometimes a little slow support (it´s free so no complaints, the paid support is quick as..), they told me it was a knows issue. And they asked me to open a support case with Vmware and promised to help out. But that was not an option in that project due to security reasons. So I decided to try another approach. I looked into network-2-USB-devices.
And I found the Silex DS-510. They stated the following on their homepage:
“The Silex DS-510 is designed to easily connect and share USB devices over a network. Printers, Scanners, Disk Drives, Card Readers, or virtually any other USB device can be now be enabled with network capability.”
I asked Yubico support and they came back and said: “Unfortunately this kind of device will not work for what you are trying to accomplish”. But since I had already ordered one (they are about 150$) I decided to have a go. And it worked perfectly!
And the thing is: It is really easy to use! Basically connect the Silex DS-510 to the network, install the driver on the dedicated server, connect your YubiHSM to the DS-510 and it will show up in the system like any other USB-device. I´ve tried it both on Vmware and Hyper-V and it works perfect! Of course more testing is needed and you have to consider the security in this device. It is on my to do list. But so far so good! And the key-material is stored on the YubiHSM2 and communication between the HSM and CA over the network is protected.
I think I have convinced Yubico to test the device as well so they can recommend from their side as well. I´ll update this post when I got more info.
At the end of the day I really have to recommend this solution. The YubiHsm2 is excellent and in combination with the Silex DS-510 we got a winnerfor Certificate Authorities in virtual enviroments!
#Yubico #YubiHSM2 #Silex #DS-510
One thought on “YubiHSM2 and virtual servers!”
I did a similar thing in early 2020. I don’t have the details so I’m recalling the process from a distant memory so forgive me for using loose terminology. But what I ended up doing was running the driver on my Windows box and then running Yubico’s little web server. I had the client on my Windows CA connect to that little web server and it worked really well. It’s encrypted traffic so it wasn’t that big of a deal. I used an isolated network.