A Hardware Security Module (or HSM) is a physical device that
safeguards and manages cryptographic keys.
Before getting into the technical details, it is important to understand why keys, and in particular private keys, need to
be well protected.
Let’s use the real world example of a company that issues scratch cards for pre-paid services like electricity or
They use an asymmetric algorithm, ie. using a private key to issue the scratch code and a public key in the electricity
meter or phone to authenticate that the code on the scratch card was issued by them.
If the server that generates the scratch codes is hacked and an attacker gets a hold of the private key (possibly without
knowledge of the company), he can issue the scratch cards himself and sell it on the black market - destroying the company’s
business model by the time they realize the problem.
It is possible for the company to start using a new private key and replace the public keys on all the devices in the field -
but at what cost?
This is where an HSM comes in. Even if a hacker obtains access to the signing server he will not gain access to the
key - and even if he does get access to the HSM password, he can only issue codes while he has access to the server.
Blocking the hacker from the server and changing the HSM password will solve that at a much lower cost than updating all
the devices in the field.
HSMs like the eHSM provides a greater level of security as the key is never on the file system (or in the server memory)
and it does not have an operating system to hack. It also uses a secure element in the form of tamper resistant silicon,
similar to that used in a smart card, to protect sensitive master keys. Even if it is stolen (more likely to be noticed
than keys copied from a file system), it is virtually impossible to get to the key data and the device will clear its
internal storage when tampered with.
A general purpose HSM like eHSM can also be used to:
Sign documents and emails
Sign and encrypt files
Protect web server keys
Protect VPN keys (OpenVPN, Strong Swan)
Protect remote shell keys (SSH)
Sign software activations (to enable certain features)
Protect Certificate Authority root keys
Bitcoin wallets (eHSM implements the secp256k1 Elliptic Curve algorithm)
Protect GPG keys
Hard disk encryption (with for example VeraCrypt)
Manage keys in many custom applications