Migrate existing setup to use HSM

Quynh_Nhat · October 1, 2020, 3:11am

Hi,

We have an existing privacyidea server that currently hosts users’ tokens. This server is currently not using HSM module, and is only using encryption file. We would like to migrate this server to use HSM without affecting current users’ tokens.

Is this possible and is there a way to do this safely? (Provided we have everything correctly setup to switch the privacyidea server to use the HSM. We only concerned about the change of security implementation causing problem to decrypt existing encrypted data.) How do we migrate the flat encryption file to keys in the HSM (key content) if the above is possible?

Thank you!

Best regards,

Quynh Nguyen

cornelinux · October 1, 2020, 7:55am

Hi @Quynh_Nhat

this is possible. To do so you should have a devent understanding how privacyIDEA encrypts data.
I recommend you read the documentation especially the chapters “crypto considerations”, “Installation” and “Setup” and the chapter “Security Modules”.
You will use the aeshsm module.

There are basically two ways to do this:

Use the existing 3 encryption keys and move them to the HSM.
Create new encryption keys on the HSM (you can use pi_manage for this) and migrate all the encrypted data.

However, there is no ready made command to migrate the data in such a case (to my knowledge). You can take a look at the script privacyidea-migrate-linotp.py in the tools directory and you get an idea how this would havet to be done.

What HSM are you planning on using?

You can also consider to hire a professional to assist you with that.

Kind regards
Cornelius

Quynh_Nhat · October 1, 2020, 4:46pm

Hi @cornelinux ,

Thank you for your response.

We are going with the Option 1. We are breaking the original flat enckey file to 3 different AES keys in that order, and importing them to the HSM with correct labels. We have privacyidea servers that are using this kind of HSM already and are working fine. We are looking into see If the procedure is as simple as breaking the original enckey to 3 different keys in the HSM, and switching the privacyidea server to use the HSM module instead of flat enckey file.

We will follow your suggestion about the documentation reference.

Best regards,

Quynh Nguyen