Production Image#
The production image is provided for production environments with high security demands. It requires an external etcd key-value store which is connected through an encrypted connection. The NetHSM process can be executed with hardware-based separation (KVM) and device-specific encryption. The image is distributed as OCI image and can be run locally with a compatible executor such as Docker and Podman.
Lyginant su NetHSM aparatine įranga, programinės įrangos konteinerio REST API neįgyvendinamos šios funkcijos:
Network configuration
Factory reset
Reboot
Software update
The NetHSM production container is a product for paying customers only and can be purchased here. The image can be obtained from Nitrokey NetHSM registry using the credentials provided after purchase.
Įspėjimas
The security of the NetHSM software container strongly depends on the platform’s security. A compromised platform could easily compromise a NetHSM software container it executes. In addition the TRNG is not existent so that the entropy used and provided by the NetHSM depends on the platform’s entropy.
Tagging Policy#
The images in the repository are tagged with the Git commit hash and the version of the release.
The latest image is tagged with latest.
Modes of Operation#
The image can be run in two modes of operation, i.e. Unix process or unikernel.
The Unix process mode runs NetHSM as a process on top of the operating system.
The unikernel mode runs NetHSM as a guest in a KVM based virtual machine and provides strong separation from the host operating system.
This mode is only available on Linux and requires access to the /dev/tun and /dev/kvm device nodes and the NET_ADMIN capability.
Svarbu
For security choose to run the container in the unikernel mode.
The mode can be set with the environment variable MODE (see next chapter Configuration).
Konfigūracija#
The container can be configured with the following environment variables.
Environment variable |
Aprašymas |
|---|---|
|
Enables extended logging for NetHSM. |
|
A set unlock passphrase automatically unlocks the container during start. |
|
The mode accepts the values unix or unikernel, defaults to unix. |
|
The URL/IP address of the host running the etcd service. |
|
The port running the etcd service, defaults to 2379. |
|
The path to the certificate of the CA (Certificate Authority) which signed the client certificate. |
|
The path to the certificate for the client authentication. |
|
The path to the secret key for the client authentication. |
The container runtime secrets such as certificates and private keys need to be set with the secrets feature of Docker or Podman.
Secret variable |
Aprašymas |
|---|---|
|
CA certificate which signed the client certificate and server certificate. |
|
Client certificate for authentication of the NetHSM process with the key-value store. |
|
Client key for authentication of the NetHSM process with the key-value store. |
|
Server certificate for the API of the key-value store. |
|
Server key for the API of the key-value store. |
|
Device key of the NetHSM process. To learn more about the device key refer to chapter Terminology and Conventions in the system design. |
Naudojimas#
The production container supports two modes of operation. The following chapters describe how to run the container with the provided compose files or with the _run_ command.
Unix Mode#
You can obtain a provided compose file here. Make sure you have the necessary files for the secrets, mentioned in the compose file, available.
To run the container without the compose file you need to provide an external etcd yourself. Here you find the recommended container image for etcd. Make sure to pass the configuration options, as described in chapter Configuration.
Konteineris gali būti vykdomas taip.
$ docker run -ti --rm -p 8443:8443 registry.git.nitrokey.com/distribution/nethsm:latest
$ podman run -ti --rm -p 8443:8443 registry.git.nitrokey.com/distribution/nethsm:latest
Tai paleis NetHSM kaip „Unix“ procesą konteinerio viduje ir atskleis REST API per HTTPS protokolą prievado 8443 adresu.
Svarbu
Konteineryje naudojamas savarankiškai pasirašytas TLS sertifikatas. Norėdami užmegzti ryšį, įsitikinkite, kad naudojate tinkamus ryšio nustatymus. Norėdami sužinoti daugiau, žr. skyrių NetHSM įvadas.
Unikernel Mode#
You can obtain a provided compose file here. Make sure you have the necessary files for the secrets, mentioned in the compose file, available.
To run the container without the compose file you need to provide an external etcd yourself. Here you find the recommended container image for etcd. Make sure to pass the configuration options, as described in chapter Configuration.
Konteineris gali būti vykdomas taip.
$ docker run -ti --rm -p 8443:8443 --device /dev/net/tun --device /dev/kvm --cap-add=NET_ADMIN -e "MODE=unikernel" registry.git.nitrokey.com/distribution/nethsm:latest
$ podman run -ti --rm -p 8443:8443 --device /dev/net/tun --device /dev/kvm --cap-add=NET_ADMIN -e "MODE=unikernel" registry.git.nitrokey.com/distribution/nethsm:latest
Tai leis paleisti NetHSM kaip unikernelį KVM virtualioje mašinoje. Konteineris atskleis REST API per HTTPS protokolą sąsajoje tap200 su IP adresu 192.168.1.100 ir prievadu 8443.
Svarbu
Konteineryje naudojamas savarankiškai pasirašytas TLS sertifikatas. Norėdami užmegzti ryšį, įsitikinkite, kad naudojate tinkamus ryšio nustatymus. Norėdami sužinoti daugiau, žr. skyrių NetHSM įvadas.