Skip to main content

Generate a Vault Server Key on the HSM

CyberArk PAM uses a server key to open and close the Vault. With the integration with a Securosys HSM, this Vault server key will be stored in the HSM.

This guide explains how to generate such the server key directly in the HSM. This has the advantage that the key is generated using a true random number generator and has never left the HSM. For importing an existing key into the HSM see this tutorial (not recommended).

Step-by-step

  • Stop the PrivateArk Server.

  • Navigate to the Server directory. Within the directory open a command prompt with administrative privileges.

  • (Optional) For a more verbose output when generating a new server key on the HSM use the following command:

    Set CACryptoTrace=1
  • Run the GenerateKeyOnHSM command to generate a new server key using CAVaultManager:

    CAVaultManager.exe GenerateKeyOnHSM /ServerKey

    Make sure that the result confirms that the server key was successfully generated on the HSM. You should see the following output:

ITADB399I Using encryption algorithms: Advanced Encryption Standard (AES), 256 bit, RSA (2048 bit), SHA2-512 (Protocol Integrity), SHA2-512 (Files Integrity).

ITADM114I Successfully connected to Database, Database id 0.

CAVLT187I Server Key was successfully generated on HSM device (KeyID=HSM#X).
  • Write down the HSM Key Generation Number HSM#X returned in the command output, as it will be needed in the next steps.

  • Mount the recovery private key (recprv.key) to the Vault server.

  • Open the DBParm.ini file located in C:\Program Files (x86)\PrivateArk\Server\Conf

  • Set the RecoveryPrvKey parameter to point to the location of the recovery private key (path to recovery key) and save the file. Example:

[MAIN]

RecoveryPrvKey=D:\recprv.key

  • Navigate to the Server directory. In the directory open a command prompt with administrative privileges.
  • Change the existing server key to your newly generated key, by running the following command:
ChangeServerKeys.exe <keys directory> <full path to VaultEmergency.pass> HSM#X
ParameterDescription
<keys directory>Enter the directory where the Vault keys are located.
<full path to VaultEmergency.pass>Enter the full path to the Vault emergency password file.
HSM#XReplace the X with HSM Key Generation Number.

Ensure the command output confirms that the server key change was successful, as seen in the following example of a successfully changed key:

CHSRVK054I ChangeServerKeys process was successful. DBParm.ini must be updated to point to new keys for Vault to start.

CHSRVK042I ChangeServerKeys process ended.
  • Open the DBParm.ini file and set the ServerKey parameter. Replace HSM#X with your HSM Key Generation Number.
ServerKey=HSM#X
  • Make sure to save the file before starting the PrivateArk Server.
  • Start the PrivateArk Server and confirm that no errors are printed to the console.
  • Verify that you can log on to the Vault using CyberArk authentication.
  • Unmount the recovery private key from DBParm (revert to default value: d:\recprv.key).

The original server key is no longer in use, and a key safely secured in the HSM is now in operation.

Get started withCloudHSM for free.
Other questions?Ask Sales.
Feedback
Need help?