You can run privacyIDEA with several different kind of HSMs.
You may be interested in running privacyIDEA with a Securosys HSM. This is a European HSM vendor (in contrast to all U.S. vendors) that is located in the Switzerland.
(I am also writing this, because I have a demo config lying aroung and I do not know, where to put it. So next time I will ask Google for “privacyIDEA” and “Securosys”!)
First you need to do a base configuration in your
pi.cfg, we call it
PI_HSM_MODULE = "privacyidea.lib.security.aeshsm.AESHardwareSecurityModule" PI_HSM_MODULE_MODULE = "/usr/local/primus/lib/libprimusP11.so.0.9.668" PI_HSM_MODULE_SLOT = 1 PI_HSM_MODULE_PASSWORD = "PRIMUSDEV" SQLALCHEMY_DATABASE_URI = 'sqlite:////home/cornelius/src/privacyidea/data-hsm.sqlite' PI_PEPPER = 'zzsWra6vnoYFrlVXJM3DlgPO' SECRET_KEY = 'sfYF0kW6MsZmmg9dBlf5XMWE'
Of course you probalbly have some other passwords and spices.
The cool thing is, that
pi-manage now comes with a handy tool to create the necessary encryption keys.
PRIVACYIDEA_CONFIGFILE=/home/cornelius/src/privacyidea/pi-securosys.cfg \ ./pi-manage hsm create_keys
This will output the following:
PI_HSM_MODULE_KEY_LABEL_TOKEN = 'token_SYGd45VYu7yRAtgZ' PI_HSM_MODULE_KEY_LABEL_CONFIG = 'config_vFQWYLGw2pwzTBSn' PI_HSM_MODULE_KEY_LABEL_VALUE = 'value_SAUeQNgHDZWauGjp'
Three new AES keys have been created on the HSM with the mentioned labels.
You can now simply copy these lines to your
pi.cfg and privacyIDEA will use these keys for encryption.