HSM ECDSA support

PrivX 41.0 added experimental support for HSM-backed ECDSA keys. As of PrivX 43.0, this feature is enabled by default on supported providers during installation. Support isn't automatically enabled on upgrades from earlier PrivX versions.

info

ECDSA is currently unsupported on Thales CipherTrust.

When this feature is disabled, ECDSA keys will be created and stored by PrivX without the use of HSM.

Enabling HSM ECDSA Support

Ensure that you are using the latest SDK and firmware for your HSM provider. After that, enable HSM ECDSA support as follows on each PrivX Server:

1. In /opt/privx/etc/keyvault-config.toml under the [pkcs11] section, find the features setting. Add ecdsa-enabled to the list of features.

   The features setting is comma-separated. For example if the current value is "serialize-ops", the new value should be "serialize-ops,ecdsa-enabled".

2. Restart PrivX with:

   sudo systemctl restart privx

In a high-availability installation, repeat these steps on each PrivX Server.

info

Enabling HSM ECDSA support doesn't move existing ECDSA keys to the HSM; the setting only applies to subsequently created keys.