# HSM Status Report **Last Updated:** 2026-01-31 **Document Version:** 1.0 **Status:** Active Documentation --- **Date:** 2025-01-27 **Status:** ⚠️ Vault exists but NOT configured with HSM **Purpose:** Current state of HSM/Vault infrastructure --- ## Current Status ### ✅ Vault Container Exists **VMID 108: vault-rpc-translator** - **IP Address:** 192.168.11.112 - **Hostname:** vault-rpc-translator - **Status:** ✅ Running - **Port:** 8200 - **Purpose:** Secrets management for RPC Translator service ### ⚠️ HSM Configuration Status **Current Configuration:** - **HSM Backend:** ❌ NOT configured - **Seal Type:** Likely using Shamir seal (default) - **Production Mode:** ⚠️ May be running in dev mode - **HSM Integration:** ❌ Not present **Evidence:** - Deployment documentation shows `vault server -dev` mode - No HSM backend configuration found - No PKCS#11 library configuration - No HSM device references --- ## What Exists ### Vault Container (VMID 108) **Location:** r630-02 (192.168.11.12) or r630-01 (192.168.11.11) **Purpose:** Secrets management for RPC Translator service **Current Use:** - Stores translator configuration - Manages AppRole authentication - Provides secrets to RPC Translator VMs (2400-2402) **Configuration:** - Standard Vault installation - AppRole authentication enabled - Secret engine configured - NOT using HSM backend --- ## What's Missing ### HSM Hardware/Backend 1. **No HSM Device** - No physical HSM hardware - No cloud HSM service (AWS CloudHSM, Azure Dedicated HSM) - No software HSM (SoftHSM) configured 2. **No HSM Integration** - Vault not configured with PKCS#11 - No HSM seal configuration - Using default Shamir seal (software-based) 3. **No HSM for Private Keys** - Private keys still in .env files - Not stored in HSM - Not using HSM for cryptographic operations --- ## Recommendations ### Immediate Actions 1. **Assess Current Vault Configuration** ```bash ssh root@192.168.11.12 pct enter 108 vault status vault read sys/config/seal ``` 2. **Determine Vault Mode** - Check if running in dev mode (not production-ready) - Verify seal configuration - Check for TLS/HTTPS configuration 3. **Plan HSM Integration** - Select HSM solution (cloud or on-premise) - Plan Vault reconfiguration - Plan migration of existing secrets ### HSM Options #### Option 1: Cloud HSM (Recommended for Production) - **AWS CloudHSM** - Fully managed, FIPS 140-2 Level 3 - **Azure Dedicated HSM** - Managed HSM service - **Cost:** ~$1,500-3,000/month #### Option 2: Software HSM (Development/Testing) - **SoftHSM** - Software-based HSM for testing - **Cost:** Free (open source) - **Use Case:** Development, testing, proof of concept #### Option 3: On-Premise HSM (Maximum Security) - **Thales Luna** - Enterprise HSM - **Utimaco** - Enterprise HSM - **Cost:** $5,000-50,000 (one-time) + support --- ## Migration Path ### Current State → HSM-Enabled Vault 1. **Phase 1: Assessment** - [ ] Verify current Vault configuration - [ ] Document existing secrets - [ ] Identify seal type - [ ] Check production readiness 2. **Phase 2: HSM Selection** - [ ] Select HSM solution - [ ] Procure/configure HSM - [ ] Set up HSM access 3. **Phase 3: Vault Reconfiguration** - [ ] Install PKCS#11 library - [ ] Configure HSM backend - [ ] Reinitialize Vault with HSM seal - [ ] Migrate existing secrets 4. **Phase 4: Private Key Migration** - [ ] Move private keys to HSM - [ ] Update applications - [ ] Remove keys from .env files --- ## Next Steps 1. **Verify Vault Status** ```bash # Check which host has container 108 for host in 192.168.11.11 192.168.11.12; do ssh root@$host "pct list | grep 108" && echo "Found on $host" done # Check Vault status ssh root@ "pct enter 108 -- vault status" ``` 2. **Review Vault Configuration** - Check `/etc/vault.d/vault.hcl` (if exists) - Verify seal configuration - Check for TLS configuration 3. **Plan HSM Integration** - Review HSM options in [MASTER_SECRETS_INVENTORY.md](MASTER_SECRETS_INVENTORY.md) - Select appropriate HSM solution - Plan migration timeline --- ## Summary | Component | Status | Notes | |-----------|--------|-------| | **Vault Container** | ✅ Exists | VMID 108, IP 192.168.11.112 | | **Vault Running** | ✅ Yes | Port 8200 | | **HSM Backend** | ❌ No | Not configured | | **HSM Hardware** | ❌ No | No HSM device | | **Private Keys in HSM** | ❌ No | Still in .env files | | **Production Ready** | ⚠️ Unknown | Need to verify configuration | --- **Conclusion:** There is a Vault container running, but it is **NOT configured with an HSM backend**. It's a standard Vault installation that would need to be reconfigured with HSM integration for production-grade security. --- **Last Updated:** 2025-01-27 **Status:** ⚠️ Vault exists, HSM not configured