2

I am implementing a security solution and I would like some recommendations on existing HSM software. If anyone has done a comparison on the existing HSM software and can recommend good and supported ones?

I have seen virtual HSM: https://wiki.openvz.org/Virtual_HSM

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 6
    *" HSM software"* - the "H" in "HSM" stands for hardware, i.e. a physical device. This means any pure software solution claiming to be a HSM is not a HSM but at most an approximation, i.e. usually provides the interface (PKCS#11) but not the security of a HSM. Apart from that product recommendations are off-topic here. – Steffen Ullrich Jul 19 '18 at 06:51
  • Hello Steffen, thanks for your reply. I totally agreed with you about the definition but they claim that these HSM software have the same capabilities. I am willing to use an open source one. I am asking to see if someone has used an HSM software before and get some opinions. –  Jul 19 '18 at 07:35
  • 2
    *"...have the same capabilities"* - yes, they have the same PKCS#11 interface. But these interface-compatible but software-only "HSM" don't provide the same security as a real HSM. Thus, if you require a HSM because you need the physical safety of the private keys none of these software variants can provide it. Given that your requirements are unclear (what exactly is "a good one") one could not recommend anything even if product recommendations wouldn't be off-topic. – Steffen Ullrich Jul 19 '18 at 07:52
  • Thanks again!. I don't need the physical safety of my private keys actually. I want my HSM software to generate encryption keys for each client application (used for encryption at the client side) and register these keys for decryption when receive client data encrypted. –  Jul 19 '18 at 08:10

1 Answers1

1

Mainly it's all about isolation of secret keys to prevent unauthorized use.

I think the better general term to be used is crypto token like used in PKCS#11 specification.

There are several ways to protect secret keys, ranging from file ownership / permissions and/or key passphrases on the low-end to tamper-proof hardware which automatically deletes the stored keys in case someone is attacking the device with a drilling machine.

Real tamper-proof hardware is pretty expensive and therefore one cannot give a good recommendation without knowing your security requirements and budget.

Taking your term "HSM software" literally I'd recommend to have a look at software implementing PKCS#11 proxy functionality. This allows you to store secret keys on different commodity hardware running with standard OS and then use the key remotely over network. It gives better protection than storing and using secret keys on the same system but is not as secure as real HSMs.

Michael Ströder
  • 307
  • 1
  • 6