Configure HSM Key Management for a Primary-DR Environment

After the Vault has been installed and has started successfully, you can move the Server key to the HSM where it will be stored externally as a non-exportable key.

Encryption keys can be stored on the HSM device in either of the following ways:

Existing keys can be loaded onto the HSM device. For details, see Load the server key into the HSM.
New keys can be generated directly on the HSM device. For details, see Generate the server key in the HSM.
 

CyberArk highly recommends placing the Vault and the HSM in close proximity to avoid latency and performance issues.

Load the server key into the HSM

The following process installs and stores the Server key on the HSM device. Once this process is complete, the server key is stored as non exportable key on the HSM and will be used by the Vault.