A Hardware Security Module (HSM) is a physical computing device that provides extra security for sensitive data. It is a specialized, highly trusted physical device that performs all major cryptographic operations, including encryption, decryption, authentication, key management, key exchange, and more. HSMs are designed to safeguard and manage secrets, most importantly digital keys, and perform encryption and decryption functions for digital signatures, strong authentication, and other cryptographic functions. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server. HSMs contain one or more secure cryptoprocessor chips to prevent tampering and bus probing, or a combination of chips in a module that is protected by tamper-evident, tamper-resistant, or tamper-responsive packaging.
HSMs are used to provision cryptographic keys for critical functions such as encryption, decryption, and authentication for the use of applications, identities, and databases. They are used to keep cryptographic functions related to transactions, identities, and applications separate from regular operations and to control access to those functions. HSMs are tested, validated, and certified to the highest security standards, including FIPS 140-2 and Common Criteria.
HSMs can be connected to a network server or used as a standalone device offline. They are also offered as cloud services. HSM as a service is a subscription-based offering where customers can use a hardware security module in the cloud to generate, access, and protect their cryptographic keys.
In summary, an HSM is a physical computing device that provides extra security for sensitive data. It is a specialized device that performs cryptographic operations and safeguards digital keys. HSMs are used to keep cryptographic functions separate from regular operations and to control access to those functions. They can be connected to a network server or used as a standalone device offline, and they are also offered as cloud services.
