1

---Updated---
I had a mis-understanding to HSMs, I thought that they were similar to huge USB tokens!
(>﹏<)′ ~

Let's encrypt claim that their private keys are stored in HSMs, but how can they have many HSMs with the same key?
I think that they must have more than one server to issue so many certificates, then how can each of these servers have a HSM with the same private key?

Jemmy1228
  • 195
  • 1
  • 6
  • 2
    -updated- I think what you are missing is that the private keys are not stored on the HSM, they are encrypted by the HSM and the encrypted version stored on a server disk. As Michael Ströder points out multiple HSMs can be initialized to be identical via a fleet-wide (group of HSMs) "world key". – zaph Aug 16 '18 at 15:31
  • @zaph What!!! That's exactly what I'm missing! So HSM isn't just a huge USB Token? The HSM read the encrypted private key from the server and then decrypt the private key to do crypto operations right? – Jemmy1228 Aug 16 '18 at 15:37
  • The "decrypt the private key to do crypto operations" depends, the HSM may perform operations or may just return the decrypted key. This depends on the HSM and application. – zaph Aug 16 '18 at 15:47
  • @zaph if it only returns the decrypted key, how can the HSM be more secue than just store the privatekey on the server disk? I think hackers may be able to read the private key from RAM... – Jemmy1228 Aug 16 '18 at 15:52
  • There is a difference in security between long-term and transient usage. HSMs are for long-term storage, servers still need to be secure for transient use of keys. One difference is getting keys as used by the server which are only available for a short time in RAM while being used and only one or a few keys being used at a time vs obtaining all the keys from a server file. – zaph Aug 16 '18 at 16:00
  • Your belief that they need more than one HSM for volume is probably wrong; based on [this announcement](https://letsencrypt.org/2017/06/28/hundred-million-certs.html) they appear to be issuing something like a few 100 thousand a day, and the type of serious HSM they would use can typically do at least 10s of _millions_ signatures a day. But they _do_ need multiple devices (and servers) to handle a failure or outage, and once you have multiple devices it generally gives better assurance _as well as_ performance to go ahead and use them. – dave_thompson_085 Aug 17 '18 at 02:36

1 Answers1

3

I don't know the HSM Let's Encrypt is using. But all major vendors have different mechanisms for doing backup and recovery to an encrypted medium.

One vendor-specific example:

If you setup nCipher/Thales HSMs from scratch a so-called "world key" is generated which is stored encrypted on normal disk and with which all keys used for crypto operations within the HSM are encrypted.

The world key itself is encrypted with a key stored distributed on a so-called "admin card set" (Shamir's Secret Sharing). So with the files and a configurable k-of-n subset of the admin card set you can restore the world key to a new blank HSM and thus let the HSM decrypt all the key stores also restored to the HSM. They call it "add HSM to security world".

Of course you have to implement your own organizational and technical security controls around that to implement a really secure backup and recovery process.

Having said this you still have to trust the HSM vendor that there is no back-door in the firmware to extract the keys in an undocumented way.

Michael Ströder
  • 307
  • 1
  • 6
  • Thank you! But I didn't understand what is the "world key". What can the "world key"do, to restore the private key stored in the HSM? And do all nCipher/Thales HSMs use the same "world key", or each HSM has its own "world key"? And who keeps the "world key", the vendor or the user? – Jemmy1228 Aug 16 '18 at 14:21
  • Edited my answer. Let me know if it's more clear now. – Michael Ströder Aug 16 '18 at 15:18
  • Clearer than before...But I'm still confused about the relationship between the "world key" and the "all keys used for crypto operations within the HSM". Is "world key" a symmetric key, an asymmetric key or a file contains the protected private keys? – Jemmy1228 Aug 16 '18 at 15:34
  • I really mised what @zaph said, sorry for that :(... I'm clear now – Jemmy1228 Aug 16 '18 at 15:39
  • You can't accept comments. The issue is this answers the question title but not the question context since the question contained a mis-conception of how the keys are stored. – zaph Aug 16 '18 at 16:12
  • The world key is a symmetric key. And keys used on the HSM are arbitrary symmetric or asymmetric keys. But note that this is highly vendor-specific and you just asked a very broad generic question. – Michael Ströder Aug 16 '18 at 16:13
  • @MichaelStröder Consider incorporation my first comment to the question into your answer in order to more fully answer the implied question. – zaph Aug 16 '18 at 19:14
  • Hmm, I'm rather reluctant to add a comment about keys not being stored on the HSM because this is handled differently. It can even be different within the same HSM depending on the key slot config params. – Michael Ströder Aug 17 '18 at 00:10
  • On CryptoServer HSMs (Utimaco), this would be the Master Backup Key (MBK). MBKs (AES 256) can be unique or replicated across multiple HSMs; when multiple HSMs use the same MBK, then they can share data between them (this is how a cluster is set up). The MBK is used to encrypt key material, arbitrary secrets, the user database backup, etc. "Plain old Crypto Keys" are a thing apart from the MBK and its usage. The RSA keys and their associated data might be stored in an RDBMS, but they are encrypted with the MBK so the only place they are usable is inside one of the HSMs that uses that MBK. – rip... Aug 21 '18 at 22:29