Password Safe Dinamo Hardware Security Module Integration Guide

This guide describes integrating Password Safe with a Dinamo Hardware Security Module (HSM) device.

An HSM appliance is a hardware device that safeguards and manages digital cryptography keys for strong authentication and provides cryptographic processing functionality. A cloud-based HSM service provides cost-effective, on-demand key management services using a graphical user interface. Password Safe can use HSMs to manage encryption keys for stored credentials. The HSM takes over the key management, encryption, and decryption functionality for the stored credentials.

Password Safe communicates with HSMs using a commonly supported API called PKCS#11. HSMs include a PKCS#11 driver with their client software installation. This allows applications to use the device without requiring specific knowledge of the make, model, or configuration of the HSM.

The Password Safe integration with an HSM treats the HSM as an external API that only requires credentials. Advanced configurations and features, such as high-availability implementations, are typically transparent in Password Safe. For example, the client software might allow a group of multiple HSMs to be presented as a single token in a single slot. In this case, Password Safe accesses the group the same way it accesses a single HSM. Configuring the group and synchronizing key data is outside the scope of the Password Safe software and must be performed according to the guidelines for the specific hardware. If necessary, seek assistance from the HSM vendor.

Password Safe HSM Credential Usage

  • Password Safe uses only one set of HSM credentials to encrypt any stored credential at a given time.
  • Password Safe always encrypts new or edited credentials using the latest stored set of HSM credentials.
  • Password Safe supports legacy HSM credentials. Credentials that were encrypted using an older set of HSM credentials are still accessible if the HSM credential used to encrypt them has not been deleted manually.
  • Archived HSM credentials remain in the Password Safe database until they are manually deleted.

Supported Product Configurations

The following software and firmware versions were tested and verified as a supported configuration for this integration.

Operating System / Software / Hardware Version
BeyondInsight and HSM Client Server OS Windows Server 2019
Database Microsoft SQL Server 2019
Password Safe 22.2 and later releases
Dinamo HSM Firmware 4.0.28 and later releases
Dinamo HSM Client Software and later releases

For more information on installing the Dinamo HSM Client Software on a Windows Server, please see: HSMs Dinamo / Software Client / Windows.