CyberArk Digital Vault Integration Guide

This document will guide security administrators through the steps for integrating CyberArk Digital Vault with an HSM on Demand Service. It demonstrates securing a CyberArk Digital Vault's top-level encryption key within an HSM.

The CyberArk Privileged Account Security Solution provides a highly secure database that stores privileged account credentials, access control policies, credential management policies and audit information. To protect both the Digital Vault database, and the data stored within the database, CyberArk has designed a multi-layered encryption hierarchy that uses FIPS 140-2 compliant encryption. Each individual file and safe within the Digital Vault database is encrypted with its own unique encryption key. The Digital Vault Server uses key-hierarchy for protecting each object in the Vault. Based on this unique and highly secure approach, CyberArk has the top-level encryption key (server key) which is required to start the Digital Vault.

This document describes how to store server key (encryption key) on SafeNet HSMs.

The benefits of securing the server key with SafeNet HSM include:

>Secure generation, storage, management, and protection of the encryption keys on a FIPS 140-2 level 3 validated hardware*.

>Full life-cycle management of keys.

>Performance improvements resulting from off-loading cryptographic operations from application servers to the HSM on Demand Service.

This document contains the following sections:

>Preparing for the Integration

>Integrating CyberArk Digital Vault with an HSM on Demand Service

This overview contains the following topics:

>Third Party Application Details

>Supported Platforms

Third Party Application Details

This integration guide uses the following third party applications:

>CyberArk Digital Vault server

>PrivateArk Client

Supported Platforms

Below is the list of the platforms tested with the following HSMs:

SafeNet Data Protection on Demand (DPoD): is a cloud-based platform that provides on-demand HSM and Key Management services through a simple graphical user interface. With DPoD, security is simple, cost effective and easy to manage because there is no hardware to buy, deploy and maintain. As an Application Owner, you click and deploy services, generate usage reports and maintain only the services that you need.

CyberArk Vault Server PrivateArk Client Operating System
10.3 10.3 Windows Server 2012R2