Securosys VaultContainers

VaultContainers is Securosys' answer to the rising need of organizations to secure their platforms and systems. With VaultContainers, clients are able to run containers inside the boundary of a hardened Primus HSM device.

Architecture

The VaultContainers platform is a dedicated subsystem of the Primus HSM. It is separate from the cryptographic subsystem. Containers can communicate with the Partitions using the normal APIs (such as JCE). This API traffic stays inside the HSM.

VaultContainers architecture diagram

Benefits

Compatibility. VaultContainers can run any Docker or OCI-compliant container image.
Control over which code runs. Loading container images requires Security Officer (SO) privileges. This ensures that changes to container images can only be done through 2-of-n review.
Tamper-proof. The certified, tamper-proof hardware ensures that once loaded, the running containers cannot be modified by an attacker.
Attestation. VaultContainers metadata is included in Device Attestations. This makes it easy for external auditors to assess what container image is loaded onto the HSM.
All-in-one device. Some features, such as the TSB and the KMS are usually hosted on an external container runtime. VaultContainers removes the need for having separate hardware, enabling you to run the entire stack on a Primus HSM.

Limitations

Due to its heightened security requirements, VaultContainers may not be suitable in the following situations.

No automatic deployment. Loading a new container image requires SO privileges, requiring human intervention.
Limited scalability. VaultContainers don't support flexible auto-scaling with near-infinite resources. If you require significant scalability, an external Kubernetes cluster may be more suitable. Nevertheless, you can horizontally scale VaultContainers by adding more Primus HSMs to the cluster.

Hardware and Firmware Requirements

The VaultContainers platform was released in firmware v3.3.2. VaultContainers is only available on Primus HSM CyberVault (X2-series) and CyberVault Server.

Normal X2-Series HSMs only support Securosys-provided containers (such as VaultCode or the TSB). To upload custom container images, the Primus HSM CyberVault Server is required.

License Requirements

The VaultContainers platform is included in the base license of X2-series devices. However, to use the Securosys-provided containers the respective feature license is required:

License	Use case
`vault_code`	Run custom JARs in VaultCode.
`rest_api`	Run a TSB instance that provides the REST API.
`tsb_engine` and `key_auth`	Run a TSB instance and use it as a workflow engine for SKA flows.
`key_management_system`	Run the Securosys KMS.

These feature licenses are per-Partition. When you enable these features in the User Configuration of a Partition, one license slot is used.

What's Next

Learn how to run containers on a Primus HSM.

Get started withCloudHSM for free.

Need help?Contact Support.

Other questions?Ask Sales.

Architecture​

Benefits​

Limitations​

Hardware and Firmware Requirements​

License Requirements​

What's Next​