Luna HSM: TalkingTrust Video Series

Luna HSM: TalkingTrust Video Series

Secure your devices, identities and transactions with
Thales Luna HSMs and ecosystem partners – the foundation of digital trust

TalkingTrust with Thales and HashiCorp – DevSecOps

TalkingTrust with HashiCorp and Thales – DevSecOpsAs organizations adopt DevSecOps principles for rapid application delivery, they are heavily leveraging HashiCorp vault to centrally manage and deliver appropriate secrets to the applications. Vault stores thousands or even millions of highly sensitive secrets in such environments and encrypts them in storage to prevent any unauthorized access. Thales HSM solutions encrypt the Vault master key in a hardware root of trust to provide maximum security and comply with regulatory requirements. In this video, we discuss how organizations can enhance vault’s security controls by leveraging Thales Luna HSM to meet the most stringent compliance regulations & automate their DevOps processes.



In this video, Thales and HashiCorp discuss how organizations can meet the most stringent compliance regulations and automate their DevOps processes by utilizing Thales HSMs to securely store the private keys to their HashiCorp Vault.

Dave Madden, Director of Business Development at Thales
Chintan Gosalia, Sr. Solutions Engineer at HashiCorp

Review all integrations and supporting documents for Thales with HashiCorp.
Thales Technology Partner:

Partner website:


Video Transcript

TalkingTrust Series - HashiCorp - DevSecOps


00:10 Good morning everyone

00:11 and welcome to this webinar hosted by

00:13 Thales and HashiCorp.

00:15 My name is Chintan Gosalia and I'm a

00:17 Senior Solutions Engineer

00:19 at HashiCorp. Previously I also worked for Thales,

00:23 so I'm super excited to be working on

00:25 this webinar with the team there.

00:28 I agree. My name is David Madden and I’m

00:30 thrilled to be here with Chintan today to talk about

00:33 applying roots of trust for devops secrets in Vault

00:37 using an HSM. Today in this webinar we're

00:40 going to plan and discuss a number of things,

00:43 including a very interesting challenge that we're

00:46 seeing out there in the world with

00:47 secrets sprawl that

00:49 a lot of our large organizations are running into. 

00:52 We're also going to talk about how

00:54 organizations can address this with HashiCorp Vault

00:57 Secrets Management, and also how they can

01:00 leverage an HSM as a root of trust to

01:01 protect these secrets stored in the Vault,

01:04 as well as ensuring automation for devops.

01:07 According to our friends at IDC, one of the things

01:10 organizations see as they digitally transform

01:14 is the shift from a service provider

01:16 approach to a core part of the digital

01:18 value chain creation,

01:19 making devops what Hashi and Thales do a

01:22 core asset of any business in the digital economy. 

01:25 So we're going to talk about this, talk about that impact

01:28 to really every organization that's digitally transformed.

01:31 So let's get started on this TalkingTrust

01:33 with Thales and HashiCorp,

01:35 and I think the first place maybe we do

01:37 that Chintan is the is around

01:39 secret sprawl, which is on a lot of

01:41 people's minds today. Can you

01:42 describe it in a little more detail

01:44 what's causing secret sprawl?

01:48 That's a great question David. We all know that to thrive

01:52 in today's digital economy every organization

01:55 is heavily investing into digital transformation.

02:00 The goal of this transformation is to accelerate building

02:03 and delivery of applications to its customers,

02:07 and the two critical components to

02:09 achieve this acceleration are:

02:11 number one transition to the modern data center

02:15 that provides on-demand resources; and number two

02:18 adoption of agile and automated devops workflows.

02:23 Now this transition has created a unique

02:26 challenge of secret sprawl.

02:28 For example as a team dynamically scales

02:31 up the number of app servers

02:33 due to increased demand, these newly

02:36 provisioned app servers

02:37 need username and password to connect to

02:40 the database servers.

02:42 A Jenkins server may need to inject a GitHub API key

02:46 in its Ci CD pipeline, or they may also have micro services

02:50 that need tokens and certificates to

02:53 securely connect and communicate with each other.

02:57 The outcome is a lot more sensitive

03:00 secrets to manage

03:01 than they ever had, due to the automated

03:04 dynamic workflows.

03:09 In a recent survey 81 person organizations confirm

03:13 that they have experienced secret sprawl,

03:16 and worry about leakage or

03:18 compromise of secrets that can lead to a breach.

03:22 Traditionally the organizations relied

03:24 on storing the secrets in plain text,

03:27 either in config files, application code,

03:30 or even providing secrets manually by human operators.

03:35 This was an acceptable risk in a static

03:38 and high trust network

03:40 in the four walls of a data center,

03:43 but the infrastructure in public clouds

03:45 are no longer owned by

03:47 application owners and without any defined boundaries.

03:51 Networks are considered low trust or zero trust,

03:55 so call these secrets in plain text in

03:57 some files or code.

04:00 What is required is a shift in our

04:02 secret management approach.

04:04 A solution that securely stores secrets,

04:07 and relies on service based identity

04:10 to deliver them to applications in an automated manner.

04:14 Right. Thank you Chintan. So now that we

04:18 understand why these customers are looking at secrets

04:20 and using them in so many different ways,

04:23 enabling them to really achieve

04:25 the benefits of digital transformation automation

04:28 and cloud native, now I think we should probably

04:31 discuss more about how they should best

04:33 approach implementing this

04:35 in a secure and of course a scalable way.

04:38 Can you share some details about how

04:40 Hashi’s approaching this?

04:42 Yeah another great question David. The

04:45 challenges we discussed

04:46 are why HashiCorp Vault has become a 

04:49 de facto standard

04:50 for secret management in a multi-cloud

04:53 environment with devops workflows.

04:56 Its success can be attributed to its

04:58 three core principles.

05:00 The first one is extensible architecture.

05:03 Vault supports a variety of secrets

05:06 through its secrets engines.

05:08 For example, a PKI secrets engine can

05:11 dynamically generate digital certificates.

05:14 KV secrets engine can store any static secrets.

05:18 And MySQL secrets engine can dynamically

05:20 generate MySQL database credentials.

05:24 There is a secret engine available for

05:26 any well-known type of secret

05:28 and its workflow. This extensible and

05:31 pluggable architecture

05:33 allows Vault to provide a single pane of glass

05:37 to manage any secrets in any environment.

05:42 The second principle is its ability to secure

05:45 with any identity. Vault integrates with pretty much

05:49 all popular identity providers, for example

05:53 a client can authenticate with Vault using its

05:56 GitHub credentials when requesting a secret.

06:00 In a development environment, the same client can use

06:03 Okta or AD credentials when requesting a secret

06:07 from a corporate network, or use AWS IM credentials

06:12 for a secret in the AWS environment.

06:15 This allows Vault to provide secrets to any client

06:19 in any environment.

06:22 The third principle is its API-first approach.

06:26 Every operation in the world is

06:29 available through a CLI

06:31 and API, and hence it seamlessly integrates

06:35 with any existing human or devops workflow.

06:40 Nice. Now I see why organizations are adopting Vault

06:43 to effectively manage their secret

06:45 sprawl. You know, leveraging these capabilities.

06:48 But doesn't that now make Vault a target

06:51 as it now stores the crown jewels to the

06:53 organization's devops infrastructure?

06:56 Can you tell us how Vault can help address this risk?

07:00 Yeah, it definitely does, and to address this risk

07:03 Vault encrypts all its data in storage

07:06 with an encryption key.

07:09 This encryption key is then encrypted with a master key,

07:13 which is then protected by another key

07:15 known as an unseal key. This unseal key

07:19 can be referred to as the root of trust

07:21 for Vault, as it allows the Vault to

07:24 unlock all secrets stored inside it. This is why

07:28 it is very critical to protect

07:30 this unseal key. Right, so I guess now the

07:33 question in the minds of

07:35 of our listeners is how does Vault

07:37 protect this unsealed key. 

07:40 Yeah, in its default configuration wall protects

07:44 the unseal key using Shamir’s secret sharing. 

07:48 The unseal key is split into N different key shares.

07:53 Each key share is then provided to a

07:55 separate key custodian, so there are N key custodians

08:00 each knowing a part of the key instead

08:02 of a single person knowing the entire key value.

08:07 A certain threshold of shares also known as K

08:11 is required to reconstruct the unseal key.

08:14 The default value of N is five and K is three,

08:18 so at least three out of five key

08:20 custodians are required

08:22 to reconstruct the unseal key. 

08:25 Whenever a Vault is started, K number of

08:28 key custodians

08:30 must provide their key shares to

08:32 recreate the unseal key.

08:34 They will decrypt the master key which

08:36 will allow Vault to decrypt secrets,

08:39 and fulfill any requests coming from authorized clients.

08:44 This is a secure process as no single key custodian

08:48 knows the unseal key, but there are a

08:51 couple of considerations to using Shamir’s 

08:53 secret sharing as the root of trust for Vault. 

08:58 First, it makes starting or restarting

09:01 Vault a manual process.

09:04 Vault may need to be restarted at odd

09:06 hours due to outages

09:08 or planned maintenance activities, and using

09:11 Shamir’s secret sharing as a root of trust will require

09:14 a human intervention during such events.

09:19 Second, the unseal key is generated using

09:22 Vaults software crypto libraries.

09:25 Many organizations have strict security requirements

09:29 to leverage FIPS 140-2 Level 2

09:33 or Level 3 validated hardware devices

09:36 to generate and manage such critical encryption keys.

09:40 Ah, this is really good to know, thanks

09:41 for sharing that. And as you have mentioned,

09:44 many organizations require an automated unseal process

09:47 and a hardware-based root of trust can

09:49 help meet their compliance requirements as well. 

09:52 And this is where Thales and HashiCorp

09:55 work together to provide an enhanced

09:57 HSM-based root of trust. Can you tell us

09:59 a little bit more about how this

10:01 integration works? Yes, the organizations

10:04 can leverage Thales Luna HSMs as the root of trust

10:08 instead of Shamir's secret sharing.

10:11 In this configuration the responsibility

10:14 of securing the unsealed key

10:16 is delegated from users to a highly secure

10:20 and trusted Thales Luna HSM. 

10:24 The unseal key here is generated and stored

10:27 only within the secure boundaries of a Luna HSM.

10:31 At startup, Vault will connect to a Luna HSM

10:35 via PKCS#11 API, and ask it to decrypt the master key.

10:42 As this process doesn't require any human intervention,

10:46 it is also referred to as automated unseal for Vault. 

10:51 The unseal key also never leaves HSM,

10:55 and hence not subject to unauthorized access

10:58 or leakage due to a human error.

11:04 Now let us review some of the benefits of leveraging

11:08 Thales Luna HSM as the root of trust

11:11 versus Shamir’s secret sharing.

11:14 The first benefit as we discussed is

11:16 automated unsealing,

11:19 it also improves the Vault security posture

11:22 as it eliminates any human errors around

11:25 securely storing and managing Vault unseal keys.

11:30 Second - Luna HSM is a FIPS 140-2

11:34 Level 3 and Common Criteria certified device,

11:38 and meets the most stringent security standards

11:41 for generation and management of encryption keys.

11:45 This enhances the root of trust security for Vault,

11:49 and all the secrets stores inside it.

11:53 With Luna HSM as the root of trust, 

11:56 Vault can also supplement

11:58 its system entropy with entropy from

12:01 Thales Luna HSM.

12:03 This can be quite critical for organizations

12:07 where alignment with cryptographic regulations like

12:10 NIST SP 800-90B is required,

12:14 or augmented entropy from hardware to random number

12:18 generators are desirable.

12:22 We typically see this as a requirement

12:24 for many of our Government

12:26 or Financial Services customers.

12:30 Vault can also leverage seal wrapping functionality

12:34 from Luna HSM, where it will store

12:37 its critical security parameters in a manner

12:41 that is compliant with key storage and

12:43 key transit requirements.

12:46 So in a nutshell, Luna HSM based root of trust

12:50 allows an organization to gain better security posture for

12:55 secrets stored in the Vault, while

12:57 benefiting from a highly operate

12:59 automated operational workflow.

13:04 Thank you for walking through this with us Chintan. 

13:07 So let me see if I can summarize. 

13:09 Typically, as we know,

13:10 security hinders automation and scale

13:13 and so this has been avoided

13:15 really at all costs until required by developers.

13:18 Additionally we're seeing the need for open source

13:22 APIs, CLI, and a broad ecosystem to ensure

13:25 a strong digital innovation for enterprises.

13:28 and so these things have been challenged

13:30 in the past, and now with the combination of Hashi Vault

13:33 and the Thales Luna HSMs, we have a strong

13:35 partnership that really empowers organizations

13:38 to meet their automation security and

13:40 compliance requirements such as FedRAMP, GDPR, 

13:45 PCI-DSS, digital signatures, code signing

13:48 and data encryption. And together we

13:51 enable the vision of devops in a secure

13:52 and efficient manner,

13:54 with the foundation of digital trust. And

13:56 to put this all in the context of the global pandemic,

13:59 IDC have found that teams practicing accelerated

14:04 application delivery and devops were in the position

14:08 to use software innovation and agility impact or

14:11 response to the crisis. They were

14:14 able to better roll out new releases in

14:15 a much shorter time,

14:16 and help drive the shift to a digital business.

14:20 So, we hope you're staying safe and

14:21 leveraging Hashi and Thales to support

14:23 your business plans in 2021

14:25 with our combined foundation of digital trust. 

14:29 Okay, so with this we reached the end of

14:32 our talk. I hope you found this helpful

14:34 and if you have any questions please

14:36 feel free to reach out to the Hashi

14:38 team at, or the Thales

14:41 team at

14:44 You can also feel free to send Chintan or I emails,

14:48 and we'll be happy to respond and follow

14:50 up. Thanks again for your time

14:52 Chintan, and I hope people have enjoyed

14:55 this. Have a great rest of the day.

14:56 Thank you David.

Enhanced Data Security with HashiCorp Vault and Thales HSMs - Solution Brief

Enhanced Data Security with HashiCorp Vault and Thales HSMs - Solution Brief

Organizations today are faced with a paradigm shift where data is becoming the core of their business. As information increases in volume and value, enterprises are overwhelmed with the challenges of protecting and managing data sprawl. The problem of data protection is...

Securing Emerging Technologies with Thales Luna HSMs - Solution Brief

Securing Emerging Technologies with Thales Luna HSMs - Solution Brief

In today's digital world, enterprise and government are in a state of flux. Organizations are optimizing by taking workloads to the cloud, or forging ahead transforming, taking advantage of a wide variety of emerging technologies. They are revisiting their strategies due to...

HashiCorp Vault with Thales Luna HSMs - Integration Guide

HashiCorp Vault with Thales Luna HSMs - Integration Guide

This document describes how to store the HashiCorp Vault encryption key on a Thales Luna HSM or Luna Cloud HSM service and to leverage HSM for entropy augmentation. HashiCorp Vault Enterprise allows HSM support as a feature. It uses the HSM for: Master Key Wrapping: HashiCorp...

Luna Network HSM

Luna Network HSM - Product Brief

Secure your sensitive data and critical applications by storing, protecting and managing your cryptographic keys in Thales Luna Network Hardware Security Modules (HSMs) - high-assurance, tamper-resistant, network-attached appliances offering market-leading performance and...