d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
4f85e0bf0e59e78511998aefc5d2076ed13b0a14
proxmox/docs/04-configuration/HSM_STATUS_REPORT.md
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

4.9 KiB
Raw Blame History

HSM Status Report

Last Updated: 2026-01-31
Document Version: 1.0
Status: Active Documentation

Date: 2025-01-27
Status: ⚠️ Vault exists but NOT configured with HSM
Purpose: Current state of HSM/Vault infrastructure

Current Status

Vault Container Exists

VMID 108: vault-rpc-translator

  • IP Address: 192.168.11.112
  • Hostname: vault-rpc-translator
  • Status: Running
  • Port: 8200
  • Purpose: Secrets management for RPC Translator service

⚠️ HSM Configuration Status

Current Configuration:

  • HSM Backend: NOT configured
  • Seal Type: Likely using Shamir seal (default)
  • Production Mode: ⚠️ May be running in dev mode
  • HSM Integration: Not present

Evidence:

  • Deployment documentation shows vault server -dev mode
  • No HSM backend configuration found
  • No PKCS#11 library configuration
  • No HSM device references

What Exists

Vault Container (VMID 108)

Location: r630-02 (192.168.11.12) or r630-01 (192.168.11.11)
Purpose: Secrets management for RPC Translator service
Current Use:

  • Stores translator configuration
  • Manages AppRole authentication
  • Provides secrets to RPC Translator VMs (2400-2402)

Configuration:

  • Standard Vault installation
  • AppRole authentication enabled
  • Secret engine configured
  • NOT using HSM backend

What's Missing

HSM Hardware/Backend

  1. No HSM Device

    • No physical HSM hardware
    • No cloud HSM service (AWS CloudHSM, Azure Dedicated HSM)
    • No software HSM (SoftHSM) configured

  2. No HSM Integration

    • Vault not configured with PKCS#11
    • No HSM seal configuration
    • Using default Shamir seal (software-based)

  3. No HSM for Private Keys

    • Private keys still in .env files
    • Not stored in HSM
    • Not using HSM for cryptographic operations

Recommendations

Immediate Actions

  1. Assess Current Vault Configuration

    ssh root@192.168.11.12
pct enter 108
vault status
vault read sys/config/seal

  2. Determine Vault Mode

    • Check if running in dev mode (not production-ready)
    • Verify seal configuration
    • Check for TLS/HTTPS configuration

  3. Plan HSM Integration

    • Select HSM solution (cloud or on-premise)
    • Plan Vault reconfiguration
    • Plan migration of existing secrets

HSM Options

Option 1: Cloud HSM (Recommended for Production)

  • AWS CloudHSM - Fully managed, FIPS 140-2 Level 3
  • Azure Dedicated HSM - Managed HSM service
  • Cost: ~$1,500-3,000/month

Option 2: Software HSM (Development/Testing)

  • SoftHSM - Software-based HSM for testing
  • Cost: Free (open source)
  • Use Case: Development, testing, proof of concept

Option 3: On-Premise HSM (Maximum Security)

  • Thales Luna - Enterprise HSM
  • Utimaco - Enterprise HSM
  • Cost: $5,000-50,000 (one-time) + support

Migration Path

Current State → HSM-Enabled Vault

  1. Phase 1: Assessment

    • Verify current Vault configuration
    • Document existing secrets
    • Identify seal type
    • Check production readiness

  2. Phase 2: HSM Selection

    • Select HSM solution
    • Procure/configure HSM
    • Set up HSM access

  3. Phase 3: Vault Reconfiguration

    • Install PKCS#11 library
    • Configure HSM backend
    • Reinitialize Vault with HSM seal
    • Migrate existing secrets

  4. Phase 4: Private Key Migration

    • Move private keys to HSM
    • Update applications
    • Remove keys from .env files

Next Steps

  1. Verify Vault Status

    # Check which host has container 108
for host in 192.168.11.11 192.168.11.12; do
  ssh root@$host "pct list | grep 108" && echo "Found on $host"
done

# Check Vault status
ssh root@<host> "pct enter 108 -- vault status"

  2. Review Vault Configuration

    • Check /etc/vault.d/vault.hcl (if exists)
    • Verify seal configuration
    • Check for TLS configuration

  3. Plan HSM Integration

Summary

Component Status Notes
Vault Container Exists VMID 108, IP 192.168.11.112
Vault Running Yes Port 8200
HSM Backend No Not configured
HSM Hardware No No HSM device
Private Keys in HSM No Still in .env files
Production Ready ⚠️ Unknown Need to verify configuration

Conclusion: There is a Vault container running, but it is NOT configured with an HSM backend. It's a standard Vault installation that would need to be reconfigured with HSM integration for production-grade security.

Last Updated: 2025-01-27
Status: ⚠️ Vault exists, HSM not configured

Reference in New Issue View Git Blame Copy Permalink