You can run privacyIDEA with several different kind of HSMs.
You may be interested in running privacyIDEA with a Securosys HSM. This is a European HSM vendor (in contrast to all U.S. vendors) that is located in the Switzerland.
(I am also writing this, because I have a demo config lying around and I do not know, where to put it. So next time I will ask Google for “privacyIDEA” and “Securosys”!)
First you need to do a base configuration in your pi.cfg, we call it pi-securosys.cfg:
PI_HSM_MODULE = "privacyidea.lib.security.aeshsm.AESHardwareSecurityModule"
PI_HSM_MODULE_MODULE = "/usr/local/primus/lib/libprimusP11.so.0.9.668"
PI_HSM_MODULE_SLOT = 1
PI_HSM_MODULE_PASSWORD = "PRIMUSDEV"
SQLALCHEMY_DATABASE_URI = 'sqlite:////home/cornelius/src/privacyidea/data-hsm.sqlite'
PI_PEPPER = 'zzsWra6vnoYFrlVXJM3DlgPO'
SECRET_KEY = 'sfYF0kW6MsZmmg9dBlf5XMWE'
Of course you probably have some other passwords and spices.
The cool thing is, that pi-manage now comes with a handy tool to create the necessary encryption keys.
PRIVACYIDEA_CONFIGFILE=/home/cornelius/src/privacyidea/pi-securosys.cfg \
./pi-manage hsm create_keys
This will output the following:
PI_HSM_MODULE_KEY_LABEL_TOKEN = 'token_SYGd45VYu7yRAtgZ'
PI_HSM_MODULE_KEY_LABEL_CONFIG = 'config_vFQWYLGw2pwzTBSn'
PI_HSM_MODULE_KEY_LABEL_VALUE = 'value_SAUeQNgHDZWauGjp'
Three new AES keys have been created on the HSM with the mentioned labels.
You can now simply copy these lines to your pi.cfg and privacyIDEA will use these keys for encryption.