an abbreviation for Hardware Security Module which is a security device that is compliant with PKCS11 standard and which is a secure storage for data specially private keys.
Questions tagged [hsm]
144 questions
1
vote
0 answers
Implementing Internal Certificate Authority
We're considering setting up an internal certificate authority to issue ssl certificates. The certificates would primarily be used to secure internal websites, but I could foresee us potentially issuing certificates to secure our VPN infrastructure…
![](../../users/profiles/1928.webp)
Brad
- 613
- 6
- 12
1
vote
1 answer
Using a HSM device for code signature generation
I currently generate code signatures for my open source package by using openssl.
The way I do it is :
Generate RSA private-public key pair (E.g. openssl genrsa)
During packaging , I create a signature by generating a sha-512 digest for the package…
![](../../users/profiles/129465.webp)
jdoe
- 13
- 2
1
vote
0 answers
If a HSM RNG is FIPS 140-2 compliant, does that imply FIPS 186-2 compliance also?
If the RNG of an HSM is said to be compliant to FIPS 140-2 (approved DRBG - SP 800-90 CTR mode) does also imply that it is compliant to FIPS 186-2?
![](../../users/profiles/115970.webp)
Tarik GUELZIM
- 11
- 2
1
vote
0 answers
AWS DMS to use CloudHSM
I have a source database that need to be migrated to another one. This target will be created and integrated with CloudHSM so that the data migrated is encrypted. For migration I am planning to use AWS DMS. Both are Oracle Engine (11g). My doubts…
![](../../users/profiles/106023.webp)
Vysakh
- 11
- 1
0
votes
1 answer
Using a custom authentication mechanism with SSH
I have a hardware device that can compute ECDSA signatures and generate ECDSA keys without exporting the private key (only public key is exported).
I'm looking for a way to tie this into SSH. Is there a way to do so without patching OpenSSH?
![](../../users/profiles/32545.webp)
user1094206
- 107
- 1
0
votes
1 answer
PKCS11 PIN security
Hardware security modules are tamper-resistant and PKCS11 PIN is required to use keys.
if a software application wants to perform some cryptographic functions, it should know the PIN.
but the application is running in a non-secure environment and…
![](../../users/profiles/64608.webp)
sfallahdoost
- 47
- 6
0
votes
1 answer
NSS / OpenSSL tradeoff on an embedded linux application which uses a TPM via pkcs11?
I am on a trade-off between the use of OpenSSL or NSS in an embedded Linux application that makes use of a TPM (HSM).
EDIT: I need a SSH server and Apache using TLS, both using the keys protected by the TPM.
I am looking for satisfying the…
![](../../users/profiles/57171.webp)
lalebarde
- 587
- 1
- 5
- 13
0
votes
2 answers
How to secure communication between server application and client mobile application through HSM
We are planning to deploy HSM with our application.
The solution we are thinking is :
Mobile applications talks to server application,
Server application talks to HSM for authentications, encryption, decryption
Clients are mobile…
![](../../users/profiles/41624.webp)
Ravi Khakhkhar
- 59
- 1
- 6
0
votes
1 answer
What is the diffference between HSM and PTS-approved point-of-interaction device?
According to PCI-DSS requirement 3.5.2:
We should store secret keys in a cryptographic device.
Cryptographic devices:
1.HSM
2.PTS-approved point of interaction device
My questions:
I have some knowledge about HSM and it encrypts the KEK using Master…
![](../../users/profiles/37725.webp)
RajeshKannan
- 585
- 2
- 7
- 12
0
votes
0 answers
PL5:220 is heavily overloaded
we use the old PL5:220 is heavily overloaded
Is "etnetserver" the master cryptographic process?
hsm is in the cluster but apparently the load balancer is not working correctly,
Our developers claim that LB is fine, the problem is with HSM
Can the…
![](../../users/profiles/283007.webp)
Petr
- 1
0
votes
1 answer
How do RSA smartcards prevent key exfiltration?
Extracting private keys directly from the card is nearly impossible. With some acid package destruction and electron microscope work, a skilled team, and enough time, money, and luck you can in theory extract keys but it involves not only physical…
![](../../users/profiles/26186.webp)
JamesTheAwesomeDude
- 581
- 4
- 15
0
votes
0 answers
How to viably use HSM on public cloud providers (AWS or GCP)
I don't have any experience with HSMs.
My goal is to secure critical seed phrases used to generate crypto wallets
I found a good approach is to use HSMs to store encryption keys and encrypt the seed phrases (I don't know if that's how they're used…
0
votes
1 answer
How do centralized crypto exchanges store seed phrases and users' private keys?
Say I'm trying to develop a CEX, hence I will hold custody of users' keys. How would I go about doing that and ensuring safety and security?
From what I know, I can generate the users' keys from a seed phrase and store the path used to generate the…
0
votes
0 answers
Import BDK encrypted under the Transport Key KEK on HSM
I received a two-component KEK TDES key and a BDK cryptogram, which is encrypted for this KEK.
Do you have any suggestions on how to load such a key into the HSM device? Eg. Luna HSM
0
votes
0 answers
Storing an encryption key securely
I am struggling with the question how to store a security key in a secure way. I have done some research and there are multiple options.
Option 1) Storing the key on the same server (not recommended, because an attacker might easily get access to…
![](../../users/profiles/273824.webp)
JavaForAndroid
- 111
- 1