Hardware Security Module (HSM)
What is Hardware Security Module (HSM)?
Hardware Security Module (HSM)Tamper-resistant hardware appliance that generates, stores, and uses cryptographic keys without ever exposing the raw key material to the operating system.
An HSM is a dedicated device, card, or cloud service that performs cryptographic operations (sign, verify, encrypt, decrypt, key wrap) inside a hardened security boundary. Keys are generated on-device, never leave in plaintext, and many models are certified under FIPS 140-2 or FIPS 140-3 at Levels 2 to 4 and Common Criteria. HSMs back PKIs, code signing pipelines, payment systems (PIN, EMV), TLS termination, database encryption, and cloud KMS offerings such as AWS CloudHSM, Azure Dedicated HSM, and Google Cloud HSM. Physical and logical protections include tamper detection, key zeroization, and role-separated quorum administration.
● Examples
- 01
A root CA private key generated and used only inside an offline FIPS 140-3 Level 3 HSM.
- 02
PCI HSMs used to process card PIN translation in a payment switch.
● Frequently asked questions
What is Hardware Security Module (HSM)?
Tamper-resistant hardware appliance that generates, stores, and uses cryptographic keys without ever exposing the raw key material to the operating system. It belongs to the Cryptography category of cybersecurity.
What does Hardware Security Module (HSM) mean?
Tamper-resistant hardware appliance that generates, stores, and uses cryptographic keys without ever exposing the raw key material to the operating system.
How does Hardware Security Module (HSM) work?
An HSM is a dedicated device, card, or cloud service that performs cryptographic operations (sign, verify, encrypt, decrypt, key wrap) inside a hardened security boundary. Keys are generated on-device, never leave in plaintext, and many models are certified under FIPS 140-2 or FIPS 140-3 at Levels 2 to 4 and Common Criteria. HSMs back PKIs, code signing pipelines, payment systems (PIN, EMV), TLS termination, database encryption, and cloud KMS offerings such as AWS CloudHSM, Azure Dedicated HSM, and Google Cloud HSM. Physical and logical protections include tamper detection, key zeroization, and role-separated quorum administration.
How do you defend against Hardware Security Module (HSM)?
Defences for Hardware Security Module (HSM) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Hardware Security Module (HSM)?
Common alternative names include: HSM.
● Related terms
- cryptography№ 1178
Trusted Platform Module (TPM)
Standards-based security chip soldered to a mainboard or implemented in firmware that provides hardware-rooted key storage, attestation, and measured boot.
- cryptography№ 419
FIPS 140 / FIPS 140-3
US federal standard, maintained by NIST, that defines security requirements for cryptographic modules and their certification through accredited labs.
- cryptography№ 248
Cryptographic Key
A high-entropy secret or public value that parameterizes a cryptographic algorithm to encrypt, decrypt, sign or authenticate data.
- cryptography№ 589
Key Rotation
The periodic replacement of cryptographic keys with new ones to limit the volume of data protected by any single key and contain the impact of compromise.
- cryptography№ 1260
YubiKey
Family of hardware security keys from Yubico that implement FIDO2, WebAuthn, U2F, PIV smartcard, OpenPGP, and OTP for phishing-resistant authentication.
- cryptography№ 879
Public-Key Cryptography
A branch of cryptography that uses paired public and private keys to enable encryption, key exchange, digital signatures, and authentication without a pre-shared secret.
● See also
- № 462Hardware Token
- № 246Cryptographic Erasure
- № 829PKCS#11