What Is Hardware Security Module (HSM)? | Fortinet (2024)

FAQs

What Is Hardware Security Module (HSM)? | Fortinet? ›

A hardware security module (HSM) is a hardware unit that stores your organization's cryptographic keys to keep them private while still ensuring they are available to those who need them and are authorized to use them.

A hardware security module (HSM) is a physical computing device that safeguards and manages secrets (most importantly digital keys), performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions.

Hardware security modules (HSMs) are hardened, tamper-resistant hardware devices that secure cryptographic processes by generating, protecting, and managing keys used for encrypting and decrypting data and creating digital signatures and certificates.

Each HSM contains one or more secure 'cryptoprocessor' chips to prevent tampering and 'bus probing'. A common example of HSMs in our daily lives is our use of Automated Telling Machines (ATMs). We all possess ATM or Debit cards that allow us to gain access to our bank account.

Software-based encryption keys can be easily found by attackers trying to hack your systems. A single stolen or misallocated key could lead to a data breach. The proven answer to securing the cryptographic keys and processes that protect your data is to keep them in a hardware security module (HSM).

With its tamper-resistant nature, an HSM ensures that cryptographic operations are performed securely, even in hostile environments where attackers may try to physically compromise the device.

As mentioned there, it can cost from around USD 1.000 to over USD 20.000. Why are HSMs (hardware security modules) used?

2 Disadvantages of HSMs

One of the main disadvantages is that they are expensive and complex to deploy and maintain. HSMs require specialized hardware, software, and personnel to operate and manage them. They also need to be compatible with your hardware design and the standards and protocols that you use.

Hardware Security Modules can generate, rotate, and protect keys, and those keys generated by the HSM are always random. HSMs contain a piece of hardware that makes it possible for its computer to generate truly random keys, as opposed to a regular computer which cannot create a truly random key.

General Purpose HSMs Solution

It provides a secure solution for generating encryption and signing keys, creating digital signatures, encrypting data, and more. These HSMs are available in three FIPS 140-2 certified form factors and support a variety of deployment scenarios.

What are the risks of not using HSM? ›

Without HSMs, encryption keys are stored on servers or other devices that can be compromised, leading to security breaches and loss of sensitive data.

A hardware security module (HSM) is a physical device that provides extra security for sensitive data. This type of device is used to provision cryptographic keys for critical functions such as encryption, decryption and authentication for the use of applications, identities and databases.

Available in network attached and PCIe form factors, ProtectServer Hardware Security Modules (HSMs) are designed to protect cryptographic keys against compromise while providing encryption, signing and authentication services to secure Java and sensitive web applications.

Using an HSM with your own CA

Configure your CA to communicate with an HSM using PKCS11 and create a Label and PIN . Then use your CA to generate the private key and signing certificate for each node, with the private key generated inside the HSM. Use your CA to build the peer or ordering node MSP folder.

There are two types of HSMs: General Purpose HSM and Financial HSM (also called Payment HSM). In this article, we will explain the differences between them. But to understand the differences, we first need to know what each one consists of.

A key management system is employed to provide efficient management of the entire lifecycle of cryptographic keys in accordance with particular compliance standards, whereas an HSM serves as the core component for the secure generation, protection, and usage of the keys.

TPM and HSM both protect your cryptographic keys from unauthorized access and tampering. TPM stores keys securely within your device, while HSM offers dedicated hardware for key storage, management, backup, and separation of access control.

HSMs are physically separated from their servers and can be found in the cloud (HSM in cloud). HSMs have become a very important element to protect the confidential data of both an organization and a user. There are two types of HSMs: General Purpose HSM and Financial HSM (also called Payment HSM).

HSMs ensure secure key management, cryptographic operations, and protection of sensitive information. HSEs provide hardware-accelerated cryptographic capabilities to enhance system performance while maintaining security.