Skip to main content

Securosys VaultCode

Securosys VaultCode is a secure runtime environment for executing custom code with HSM-backed security and evidence. VaultCode allows you to load a JAR executable that will be executed by the VaultCode runtime. You can write your business logic in any language that compiles to JVM bytecode.

Think of it as a "safe room" for your business logic, that lives within the HSM's trusted boundaries.

VaultCode runs on the VaultContainers platform on Primus HSMs. VaultCode generates a signed evidence (an attestation) of its environment, the time, the code being executed, and the output. This provides a verifiable statement about the code's integrity and behavior.

Motivation: Automated Approval

In a traditional architecture, your Securosys Primus HSM protects your keys from being physically extracted. However, any application who can access your HSM can use the keys to perform operations, such as signing. Thus your application server and its access credentials to the HSM must be strongly protected.

Smart Key Attributes (SKA) address this problem by enabling you to build powerful multi-authorization rules. These rules can require multiple approvers to come together to approve a key usage. However, the approvers are the Achilles' heel of SKA: Human approvals are manual, cost time, and can be error-prone. And any automated approval logic must run on a server somewhere, thus again introducing a potentially compromised host.

Securosys VaultCode is designed to close this gap. Move your sensitive workflows into the secure perimeter of the HSM.

Instead of your application server telling the HSM to "sign this transaction", your custom automated rules that approve or deny key usage are now executed inside the HSM. And because executables need to be allow-listed by the Security Officers (SOs), you can rest assured that your approval rules cannot be replaced without four eyes seeing the update.

Run Your Code Inside the HSM

While VaultCode was originally created to serve the need for automated approval, this is not the only use case. VaultCode is general, and can run any business logic implemented as a JAR executable.

The executions performed by VaultCode are transactional. This means that the business logic loaded into VaultCode takes an input, processes it, and returns an output. The VaultCode runtime then signs the output and the runtime environment information.

Transactions are stateless by default. However, some use cases require keeping track of things, for example, the number of executions per day. In stateful mode, your executable can store data that can be accessed by subsequent executions. To learn how to set this up, see the stateful execution sample.

Your executable is not intended to be a conventional backend application that users or clients can interact with. In particular, executables cannot open a port and listen for incoming connections. All interactions with your code must go via the VaultCode runtime.

When to Use VaultCode

The transactional nature of VaultCode makes it a perfect fit when you have a process that:

  1. Goes through a checklist.
  2. Signs a statement.
  3. Optionally: The output needs to be archived and must be auditable.

For example, this matches the following use cases:

  • Approving low-volume cryptocurrency transactions (up to a certain threshold).
  • Escrow: funds or documents are only released when the attested code confirms that the conditions are met.
  • Fraud detection rules.
  • Compliance filters (for example: check for sanctioned parties, compute credit risk).-

For all of these use cases, loading the executable to VaultCode ensures that the algorithm cannot be altered (without HSM Security Officer interaction) and that the output is auditable.

Benefits

Benefits of using VaultCode to run your business logic include:

  • Attested input and output
  • Attested executable
  • Attested timestamp
  • Attested runtime environment
  • Integrity protection: code cannot be modified at runtime, and can only be updated by authorised personnel

Hardware and License Requirements

Running VaultCode inside a Primus HSM is available on CyberVault Pro or higher (X2-series) and requires firmware version 3.3 or higher.

VaultCode requires the license vault_code set to enabled on the respective Partition. The TSB and SKA, similarly, require the tsb_engine and key_auth licenses, respectively.

What's Next

Get started withCloudHSM for free.
Other questions?Ask Sales.
Last updated on
Feedback
Need help?