19

We are using Nginx and storing private keys in a file on the server. We would like to move our private keys to an HSM so that SSL keys are stored in the HSM and never leave the HSM. All crypto operations required during SSL termination can be done on the HSM.

After Heartbleed, we have seen a lot of articles suggesting the use of an HSM, but we were not able to find how this can be enabled/added to Nginx. We found a patch enabling engine Keyform to read private keys from the engine. Instead of reading keys from a PKCS#11 supported engine, we would like to use the HSM to do all crypto operations so SSL keys never leave the HSM.

Is there any existing Nginx/OpenSSL plugin/module/implementation which can help us achieve this? I have seen a lot of articles talking about SSL termination using an HSM, but couldn't find any implementation details. So before I start digging into Nginx/OpenSSL code, I would like to hear if anyone has some suggestion or recommendation for this problem.

Josh Correia
  • 103
  • 5
GG01
  • 369
  • 5
  • 7
  • 1
    Which HSM do you want to use? What does its vendor provide to use it? – Z.T. Jun 18 '15 at 21:10
  • 1
    We are using AWS CloudHSM, which is Safenet Luna SA HSM. – GG01 Jun 19 '15 at 16:58
  • 5
    Did you look at "Setting Up SSL Termination on an Apache Web Server with Private Keys Stored in AWS CloudHSM" on this page https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloud-hsm-third-party-apps.html it looks like the "SafeNet's OpenSSL Toolkit" might be what you need. If it's an openssl engine or a patched openssl, nginx should be able to use it to RSA-sign the TLS handshake, which is the only operation you should be doing with your private keys (you should use ECDHE, not RSA key exchange). – Z.T. Jun 19 '15 at 17:26
  • 1
    Thanks Z.T. This is what I am exploring in last few days, since I have learned more about openssl engine. I am able to get openssl LunaCA3 engine built, able to open session but having trouble loading keys. – GG01 Jun 21 '15 at 16:53
  • 3
    Maybe interesting side note: You can use Apache with a key stored in a PKCS#11 device, if you use mod_nss instead of mod_security for TLS. – mat Jun 16 '17 at 07:31
  • Using OpenResty (Nginx + Lua) provides a hook into the SSL protocol: https://github.com/openresty/lua-nginx-module#ssl_certificate_by_lua_block Maybe that is useful to solve the problem. – Philipp Claßen Jul 30 '17 at 18:11
  • The same question came up on [nginx-devel](http://mailman.nginx.org/pipermail/nginx-devel/2015-June/007033.html "Nginx HSM integration for SSL termination") two years ago, maybe contact them how they actually solved it? - Nevermind, I guess that was probably you asking that question :-) – ckujau Sep 02 '17 at 09:23
  • _But instead of reading keys from a PKCS#11 supported engine, we would like to use HSM to do all crypto operations so SSL keys never leave HSM_ - What makes you think that using a PKCS interface the keys would leave the HSM? – Filipe Rodrigues Sep 07 '17 at 20:02
  • This might be a question for the nginx community. You should email them nginx@nginx.org. Be as specific as possible, and I urge you to post the responses your receive back. They will likely need to know the type of HSM you are using. – user158583 Sep 08 '17 at 12:11

3 Answers3

4

I've never done this before. But here are some suggestive pointers. These points are NOT concrete steps to get it working. From the documentation for the new AWS CloudHSM (not classic) offering:

  1. Setup CloudHSM and generate private key using the CLI utility.
  2. Install and configure the CloudHSM OpenSSL library.
  3. Check if engine works openssl engine -t cloudhsm
  4. Configure Nginx. Since Nginx 1.7.9, you can specify an engine for the private keys

The value engine:name:id can be specified instead of the file (1.7.9), which loads a secret key with a specified id from the OpenSSL engine name.

So your nginx config would look something like this

ssl_certificate_key cloudhsm:<name>:<keyid>;

I'm not quite sure what the name would be or the keyID. I'll read-up a bit and edit this answer if I find something.

Note: Also, per documentation, you might have to set the ssl_engine to cloudhsm if you want to enable SSL acceleration (doing the crypto in the HSM). 

ssl_engine cloudhsm;
  1. test.

May I ask why you wouldn't want to offload your SSL at the Load Balancers using AWS ACM? That's the easiest way to do it and it's secure if you trust AWS to be secure.

edit: I read a bit and I'm more or less certain that the Key Handle in CloudHSM parlance - the 6-digit numeric Identifier - is the keyid here. I also think user name is the name part. So your Nginx config could be:

# something that looks like:
ssl_certificate_key cloudhsm:AWSUser:568900;

edit2: Nginx compilation is not necessary. We just have to make sure that the openssl engine is loadable. Once configured, this is what it looks like when verifying:

[root@ip-172-31-14-127 ~]# export n3fips_password=user_cu:Wzs8sukUp7FkVs4xQU
[root@ip-172-31-14-127 ~]# openssl engine -t cloudhsm
(cloudhsm) CloudHSM hardware engine support
     SDK Version: 2.03
[ available ]

edit3: Good news! According to this forum post, Amazon is working on better documentation for Nginx integration with CloudHSM.

edit4: AWS has updated their documentation to include instructions for Apache and Nginx. I seem to have got it slightly right! ;) So, apparently, you download a "fake private key" and use it in your Nginx config. The rest of the instructions hold well.

Regardless of which method you choose, you then export a private key handle from the HSMs and save it to a file. The file doesn't contain the actual private key. It contains a reference to the handle of the private key that is stored on the HSMs. The file's contents are known as a fake PEM format private key. Your web server software uses the fake PEM format private key file, along with the AWS CloudHSM software library for OpenSSL, to offload SSL or TLS processing to the HSMs in your cluster

Documentation here: https://docs.aws.amazon.com/cloudhsm/latest/userguide/ssl-offload.html

I haven't tested this yet. Will post an update once I do.

eternaltyro
  • 817
  • 7
  • 16
  • If you read the NGINX documentation closely, it says engine : *name : id* , which suggests that it's the literal string `engine` followed by the actual engine name `cloudhsm` followed by the key id. – tcnj Jan 01 '19 at 12:19
  • @tcnj I didn't notice that at all. I'll try that when I have time. – eternaltyro Jan 08 '19 at 06:49
1

For the benefit of anyone else who found this post via Googling "cloudhsm nginx" like I did: the answer from @eternaltyro is almost correct. But instead of referencing the key ID in the cloudhsm:<name>:<keyid>; format, you use the getCaviumPrivKey function in CloudHSM's key_mgmt_util to export the key as a "fake" PEM file, then point the nginx ssl_certificate_key at that file. You should also set the ssl_engine to cloudhsm as stated.

Wintermute
  • 111
  • 1
0

As you are using Safenet (Now Gemalto)Luna HSM SA 7000. You could add an abstraction layer for Key Management Service. For Example -Gemalto's Key Secure Appliance (they do they virtual appliance).

KMS integrates with HSM. You need to register Key Management service with HSM then each of the transaction from KMS would be wrapped with a master key which is in one of the partitions registered on your HSM.

I worked on HSM and KeySecure But never did SSL termination. To start off if you could try SSL with KMS(w/without HSMs), I can help with rest of the integrations.

Karthik tv
  • 1
  • Welcome to Information Security Stack Exchange! Please note that this site is not for promotion of products or services. If you are affiliated with Gemalto, you must disclose this. Offering services here is off-topic; I suggest you [edit] that part out of your answer. You don't want to be mistaken for a spammer. – S.L. Barth Sep 10 '17 at 17:01