HSM – What is it and who needs one?

What is a HSM?

HSM stands for Hardware Security Module, and is a very secure dedicated hardware for securely storing cryptographic keys. It can encrypt, decrypt, create, store and manage digital keys, and be used for signing and authentication. The purpose is to safeguard and protect sensitive data.

Why do you need a HSM?

There are several reasons but the main one is security, and security on all levels. In industries like the payment industry where you handle card data, data has to be encrypted in order to comply with PCI DSS. Here HSM is best practice and a must. But from a purely technical perspective, an HSM is a very secure way to store cryptographic keys. 

The hardware is physically protected. You cannot break into it, and it detects and alerts you if something is wrong. If an HSM is stolen and gets switched off, the cryptographic keys can be automatically deleted from its memory. Thus, it is a secure solution if you need to protect extremely sensitive information.

What are the main benefits of using HSM?

Safety, simplicity and performance. An HSM securely protects your cryptographic keys, but at the same time makes them easily accessible from your application and provides you with a high availability and performance of crypto operations.

By using an HSM, you relieve your servers and applications as the key operation in an encryption, encryption is done via HSM hardware instead of your server

Can’t you just encrypt and decrypt without using an HSM?

Yes, you can, but usually the keys used for encryption are generated and stored in the same device as the encryption. This is rarely a good protection for these sensitive keys. If the key is accessible via the computer network, the probability of the key being found and stolen increases. These keys can then be used to decrypt and steal sensitive data.

What security requirements exist for HSMs?

There are strict standards and certification processes for HSM units. There are specific security standards that the hardware itself must adhere to –  FIPS-140 (Federal Information Processing Standards) is one of them. The PCI Council has also dedicated a document to HSM, specifying the requirements for the device. Using an HSM is a security stamp for your organization, and for those who evaluate your compliance with security standards, it signals that the company is taking information security and encryption seriously.

What kind of companies benefit most from using an HSM?

Companies with good insight into IT security and a need to encrypt, sign or verify data. Companies in all industries that handle extremely sensitive data need to securely store crypto keys.

But also organizations that handle sensitive data under GDPR, with high demands on privacy and secure handling of personal data, HSM is a good solution for protecting encryption of personal data.