Usage v3.2.0¶
HSMs and Slots¶
First, you must decide which HSMs and slots/partitions you wish to reseed, and ensure that the system running the HSM Reseed Service is configured
to be able to access these. For example, if using a Thales Luna HSM, you should be able to run the lunacm command and see displayed the full
list of slots that you wish to reseed.
Each output generated by Quantum Origin is unique to each partition, so if there are 2 HSMs with 3 partitions each, then there will be 6 unique sets of proven entropy generated every time the entropy is imported into the HSM.
Passwords¶
Using the C_SeedRandom command to seed a particular slot usually requires logging into that slot, so you will need to know the password/PIN for each slot
that you wish to reseed, and you need to configure the Reseed Service so it can use these to log in. There are several possible ways of doing this:
Putting the plaintext password directly into the configuration file. This is the least secure approach and is not recommended by Quantinuum.
Encrypting the password using an encryption key that is stored in a separate slot, and putting the encrypted password into the configuration file. The password is then decrypted before use.
Importing the password into a separate slot as an object, which can be exported before use.
The latter two approaches require that a separate “primary” slot be created on the HSM, that is used to store the encryption key or password objects for the slots which are to be seeded. If using one of these approaches, see the following sections for further details:
Encrypted Passwords¶
If using encrypted passwords then you should first use the CLI tool’s genrsaenc command to generate an RSA encryption key under the primary slot on the HSM. You can
then use the rsaenc command to encrypt the password using this key, and put the resulting encrypted key data into the configuration file.
Imported Passwords¶
If using imported passwords, you should use the CLI tool’s password command to import each password into the primary slot. The label of each imported password can then
be used to identify it in the configuration file.
Configuration¶
The configuration file is used to provide all the necessary configuration options to the service. Here you will tell the service which slots on which HSMs will be reseeded, as well as how the service should obtain the passwords to log in to these slots.
There are also some additional service options that configured the amount of randomness to use when seeding, the frequency of seeding, and the PKCS#11 library that should be used to access the HSM.
The underlying instance of Quantum Origin that is used to generate the randomness can also be configured here, please see the Quantum Origin Core documentation for more details of the available options.
Running¶
Once everything is appropriately configured, the service can be run using the appropriate method for your operating system:
$ systemctl enable qo-hsm-reseed
$ systemctl start qo-hsm-reseed
$ systemctl enable qo-hsm-reseed
$ systemctl start qo-hsm-reseed
PS C:\> Set-Service -Name QoHsmReseed -StartupType Automatic
PS C:\> Start-Service -Name QoHsmReseed