Businesses often require application services to restart automatically if they undergo a power outage or the hosting machine reboots. This poses a problem for applications that must authenticate to the cryptographic module to use it, such as the web service application provided by SAKA. For the web service to have automatic access to keys on the cryptographic module upon a restart, the PINs of the Key Custodians must be available to the web service application on the SAKA, so it can pass them to the hardware for authentication.
However, this poses a security risk: if the web service application can read these PINs from persisted files, so can an attacker who has compromised the web service application's account. If the attacker gains access to the PINs that protect access to keys on the hardware module, they will be in a position to decrypt sensitive data and transfer them out of the SAKA.
The only sure way of ensuring the PINs do not fall into unauthorized hands is to not persist the PINs on the machine—they should be provided by the Key Custodians each time the web service application starts up. This ensures that only the running web service application has access to the PINs. However, this level of security comes at the inconvenience of having Key Custodians available at unpredictable times (although this requirement can be mitigated by having Highly Available (HA) systems that replicate data to each other in real time to ensure that no single SAKA becomes a single point of failure).
The SAKA ships with a tool—the Key Custodian SetPIN Tool—that alleviates some of the inconvenience of having Key Custodians show up at a remote data center to activate the hardware module. The KCSetPINTool allows a custodian to use their cryptographic credential on a USB flash drive, and set their part of the PIN over a secure tunnel, on the SAKA. When all three custodians have set their PINs, the SAKA hardware is activated and can start servicing applications. While this does add a small delay to the startup process—perhaps 10-15 minutes—it provides significant security over the alternative of storing PINs on the appliance for an automatic restart.
If the business entity chooses to accept and manage the risk of storing the Key Custodian PINs on the system for unattended reboots of the SAKA system, the procedures described in this section can help mitigate some of the risks.
In all cases, it is imperative that the site maintain strong network- and host-based security to prevent all unauthorized access to SAKA.