This document describes the deployment for the supported platforms. Bouncy Hsm can also be used by just running it under the current user (non-privileged user).
Bouncy Hsm can be deployed as a Windows service. All the following commands are executed using PowerShell and privileged user.
For more information see https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/windows-service?view=aspnetcore-8.0&tabs=netcore-cli.
We will install the application in the directory D:\BouncyHsm
(for example).
We will create directories:
D:\BouncyHsm
D:\BouncyHsm\bin
D:\BouncyHsm\Logs
D:\BouncyHsm\Data
Extract BouncyHsm.zip
into D:\BouncyHsm\bin
.
Configure appsettings.json
:
- set
LiteDbPersistentRepositorySetup::DbFilePath
toD:/BouncyHsm/Data/BouncyHsm.db
- set file logging in
Serilog::WriteTo::Args::path
toD:/BouncyHsm/Logs/BouncyHsm.log.txt
(for configure logs see https://github.com/serilog/serilog-settings-configuration) - set web interface endpoint in
Kestrel::Endpoints::Http::Url
New-LocalUser -Name BouncyHsm
Provide a strong password when prompted.
Update security policy:
- Open the Local Security Policy editor by running
secpol.msc
. - Expand the Local Policies node and select User Rights Assignment.
- Open the Log on as a service policy.
- Select Add User or Group.
- Provide the object name (user account) using either of the following approaches:
- Type the user account
BouncyHsm
in the object name field and select OK to add the user to the policy. - Select Advanced. Select Find Now. Select the user account from the list. Select OK. Select OK again to add the user to the policy.
- Select OK or Apply to accept the changes.
- Type the user account
Add access for directory D:\BouncyHsm
for new user.
Set ACL:
$cn = Get-WmiObject -Namespace root\cimv2 -Class Win32_ComputerSystem | Select Name
$user = "{0}\BouncyHsm" -f $cn.Name
$acl = Get-Acl "D:\BouncyHsm"
$aclRuleArgs = $user, "Read,Write,ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($aclRuleArgs)
$acl.SetAccessRule($accessRule)
$acl | Set-Acl "D:\BouncyHsm"
Error Exception calling "SetAccessRule" with "1" argument(s): "No flags can be set. can by ignored.
Create a service:
$cn = Get-WmiObject -Namespace root\cimv2 -Class Win32_ComputerSystem | Select Name
$user = "{0}\BouncyHsm" -f $cn.Name
New-Service -Name BouncyHsm -BinaryPathName "D:\BouncyHsm\bin\BouncyHsm.exe --contentRoot D:\BouncyHsm\bin" -Credential $user -Description "Bouncy Hsm instance 1" -DisplayName "Bouncy Hsm" -StartupType Automatic
Start service:
Start-Service -Name BouncyHsm
Get-Service -Name BouncyHsm
Stop services:
Stop-Service -Name BouncyHsm
Remove a service in Powershell 6:
Remove-Service -Name BouncyHsm
Remove a service in older Powershell:
sc.exe delete BouncyHsm
Remove a user:
Remove-LocalUser -Name "BouncyHsm"
Another option is to use NT Service
account for service.
We will install the application in the directory /opt/BouncyHsm
(for example).
We will create directories:
/opt/BouncyHsm
/opt/BouncyHsm/bin
/opt/BouncyHsm/Logs
/opt/BouncyHsm/Data
Extract BouncyHsm.zip
into /opt/BouncyHsm/bin
.
Configure appsettings.json
:
- set
LiteDbPersistentRepositorySetup::DbFilePath
to/opt/BouncyHsm/Data/BouncyHsm.db
- set file logging in
Serilog::WriteTo::Args::path
to/opt/BouncyHsm/Logs/BouncyHsm.log.txt
(for configure logs see https://github.com/serilog/serilog-settings-configuration) - set web interface endpoint in
Kestrel::Endpoints::Http::Url
sudo groupadd bouncyhsmuser
sudo adduser --system -g bouncyhsmuser --no-create-home bouncyhsmuser
sudo usermod -s /usr/sbin/nologin bouncyhsmuser
chown -R bouncyhsmuser:bouncyhsmuser /opt/BouncyHsm/bin
chown -R bouncyhsmuser:bouncyhsmuser /opt/BouncyHsm/Logs
chown -R bouncyhsmuser:bouncyhsmuser /opt/BouncyHsm/Data
find /opt/BouncyHsm/bin -type f -exec chmod u=r,g=r {} \;
find /opt/BouncyHsm/bin -type d -exec chmod u=rwx,g=rx {} \;
chmod u=rwx,g=rx /opt/BouncyHsm/Logs
chmod u=rwx,g=rx /opt/BouncyHsm/Data
Create unit file in /etc/systemd/system/bouncyhsm.service
.
[Unit]
Description=BouncyHsm instance
[Service]
WorkingDirectory=/opt/BouncyHsm/bin
ExecStart=/usr/local/bin/dotnet /opt/BouncyHsm/bin/BouncyHsm.dll
Restart=always
RestartSec=10
KillSignal=SIGINT
SyslogIdentifier=bouncyhsm
User=bouncyhsmuser
Group=bouncyhsmuser
Environment=ASPNETCORE_ENVIRONMENT=Production
[Install]
WantedBy=multi-user.target
Enable service (enable start service automatic):
sudo systemctl enable bouncyhsm.service
Start service:
sudo systemctl start bouncyhsm
sudo systemctl status bouncyhsm
Or view console logs:
sudo journalctl -fu bouncyhsm
For more information see https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/linux-apache?view=aspnetcore-8.0.