HSM, short for Hardware Security Module, are pieces of hardware responsible for cryptographic functions. They usually come as USB keys, PCI cards or dedicated appliances.
In this version, only one HSM card model is supported,. Safenet Luna Viper PCI-e card is the one you can set up in order to delegate cryptography.
Supported HSM features
HSM on DenyAll WAF 6.4 only supports cryptographic delegation. Keys storage are not yet implemented.
On appliance startup, an automatic detection is performed to detect new cards. A new device will appear with a name set to "No name" under Setup > HSMs section.
In order to start using your HSM device, you have to initialize it. HSM card initialization will reset all its content and ask you for a name and a password. Once set, those values can't be modified until a new initialization.
To initialize it, select your device in Setup > HSMs, then click on the Init button. You will be prompted for a new name and a password.
Activate cryptographic delegation
When you click on Setup > Boxes > Management, edit a box, you will find a new tab named HSM, allowing you to assign an HSM to a whole appliance.
Only local devices can be selected.
Once you have set the HSM to the appliance, you have to apply this change. Cold restarting every tunnel using SSL is required.
If you want to remove such a device from an appliance, you will see that it still appears under Setup > HSMs section, with an error status. You will be able to then remove it from the list, by selecting it and clicking the Remove button.