## Description ### Summary Enable integration with Hardware Security Modules (HSMs) for cryptographic key protection, meeting enterprise compliance requirements (FIPS 140-2/3, PCI-DSS, SOC2) and providing hardware-backed security for sensitive operations. ### Problem Statement Current implementation has: - No HSM integration - All keys stored in software (encrypted at rest) - OpenBao seal/unseal uses software keys - Cannot meet FIPS 140-2 Level 3 requirements ### Market Requirements - Financial services require FIPS 140-2 Level 3 - Healthcare requires hardware key protection - Government contracts mandate HSM usage - Many enterprises have existing HSM infrastructure ### Proposal Implement HSM abstraction layer supporting multiple providers: ```mermaid flowchart TB subgraph SM["GitLab Secrets Manager"] HAL["HSM Abstraction Layer<br/>(PKCS#11)"] end HAL --> Cloud["☁️ Cloud HSM<br/>AWS CloudHSM<br/>GCP Cloud HSM<br/>Azure Dedicated HSM"] HAL --> OnPrem["🏢 On-Premise HSM<br/>Thales Luna<br/>Entrust nShield<br/>Utimaco"] HAL --> Soft["💻 Software HSM<br/>(Development)"] ``` ### Key Deliverables 1. **HSM Abstraction Layer** - PKCS#11 interface - Provider configuration - Key management operations 2. **Cloud HSM Integration** - AWS CloudHSM - GCP Cloud HSM - Azure Dedicated HSM 3. **On-Premise HSM Support** - Thales Luna - Entrust nShield - Utimaco 4. **HSM Usage Scenarios** - OpenBao auto-unseal - PKI CA key storage - Transit engine KEK ### User Stories | ID | Story | Points | |----|-------|--------| | US-5.1 | Configure AWS CloudHSM | 8 | | US-5.2 | Configure GCP Cloud HSM | 8 | | US-5.3 | Configure on-premise HSM | 13 | | US-5.4 | HSM-backed auto-unseal | 8 | | US-5.5 | HSM key for PKI CA | 5 | | US-5.6 | HSM health monitoring | 3 | | US-5.7 | HSM key rotation | 5 | | US-5.8 | Multi-HSM failover | 8 | **Total Story Points:** ~52 ### Technical Requirements - PKCS#11 library integration - New model: `HsmConfiguration`, `HsmKeyReference` - Secure credential storage for HSM auth - Infrastructure changes for HSM connectivity ### Non-Functional Requirements | Category | Requirement | |----------|-------------| | Security | FIPS 140-2 Level 3 compliance | | Availability | HSM failover < 30s | | Performance | Cryptographic operations < 100ms | | Compliance | SOC2, PCI-DSS, FedRAMP | ### Effort Estimate - **Duration:** 2-3 months development + 3-4 months infrastructure - **Team:** 2-3 engineers + 2-3 SRE