Hardware Security Module Reading Time: 4 minutes

HSMs – Key Management

What is a Hardware Security Module (HSM)?

A hardware security module (HSM) is a physical computing device that protects and achieves strong authentication and cryptographic processing around the use of digital keys. Through an isolated, tamper-proof environment, these devices are built to create and secure cryptographic keys, protect critical cryptographic operations, and lastly enforce implemented policies over the use of these keys. HSMs can come in various forms: PCI e-cards, USB tokens, and network attached appliances are all common.

The Rise of Hardware Security Modules

Organizations have begun realizing the importance of HSMs. The global deployment rate of these devices has risen from 26% in 2012 to 41% in 2017 according to the 2018 Global Encryption Trends Ponemon Institute Research Report. With technology’s ever-changing environment, organizations must keep up to be successful. These changes can lead an organization down two paths. One may lead to growth and prosperity, but the other may lead to destruction and despair.

Growing Concerns:

  • Cyber-Warfare
  • Data Privacy Regulations
  • Mobile Payments
  • Internet of Things

Organizations from all industries are being affected by their data management through encryption or key management. HSMs can offer organizations the ultimate security.

Securing Data using Hardware Security Modules

Hardware Security Modules boasts many impressive features and administrative functions.


  • Generate Encryption Keys
  • Store Keys
  • Crypto Operations Processing
  • Restrict Access only for those Authorized
  • Federal Information Processing Standard 140-2 Levels 3 or 4

For a key generation, an HSM uses a true entropy-driven, hardware-based Random Number Generator, usually built to compliance to level PTG.2 of the BSI Specifications AIS20 and AIS31, and as pertains to Hash_DRBG from the NIST SP 800-90A. Secure Private and Secret keys can only be generated by data returned by such DRBGs (Deterministic Random Bit Generator).

Whether the stages of lifecycle from creation, import, usage, rotation, destruction, and auditing, the HSM maintains protection over encryption keys to ensure data is never exposed. Once the keys are created and stored in the HSM, authorization will only be allowed through a series of key cards and passphrases to gain access, as most HSMs provide support for both multi-factor authentications, and can require access via the “4-eyes” principle.

Risks of Software-only Cryptography

For those that choose to bypass HSMs, software-only cryptography is the next option. However, those choosing software-only cryptography must understand the risks that come with this decision

The two types of attacks on Software-only Cryptography:

Logical Attacks –

mainly involving an attack on main memory or discs in servers to locate the crypto keys

  • Vulnerability during stage operations in server memory.
  • Core Data Dump
  • Accessible by Passphrase

Physical Attacks –

the removal and scanning of old hard drives or memory.

  • Technicians have forcibly removed and frozen hardware to locate cryptographic keys

How does an HSM protect against these two specific threat vectors? The protected secrets never exist outside the HSM, and inside the HSM only ever exist ‘in the clear’ during use, and while inside protected RAM (CPU cache memory, with code running in the cache memory also). Any data-at-rest on the device will be AES256 encrypted. And FIPS 140-2 Level 3 and higher HSMs will react to environmental changes such as temperature (higher or lower than normal), changes in the electrical feed (over- or under-voltage), and Level 4 HSMs extend this protection to the physical, and will erase themselves if the HSM hardware is damaged.

Security Compliance & Regulations

While organizations face many different drivers to encrypt data, fifty-five percent of organizations have said compliance with privacy and data security requirements is their top driver according to the 2018 Global Encryption Trends Ponemon Institute Research Report. Universally, countries are beginning to set a standard for privacy, for those organizations handling sensitive information. Those who wish to ignore these regulations and laws will be at the mercy to hefty fines.

Major Global Regulations:
Major United States Regulations:
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Health Information Technology for Economic and Clinical Health (HITECH)
  • The Payment Card Industry Data Security Standard (PCI-DSS)

The Future of Hardware Security Modules

In today’s environment, organizations must adapt to the new digital world. By deploying HSMs, organizations will be laying out the foundation for enterprise encryption and key management. Your cryptographic keys and digital identity will have maximum security. Whether dealing with Public Key Infrastructure (PKI), Document Signing, Code Signing, Key Injection, or Database Encryption, HSMs will provide the utmost security with respect to cryptographic keys now, and in the future.

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.


About the Author

Anish Bhattacharya is a Consultant at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo