Skip to main content
Certyneo
Glossary term · H

HSM (Hardware Security Module)

Definition

An HSM (Hardware Security Module) is a tamper-resistant physical device dedicated to the secure generation, storage and use of cryptographic keys. The HSM performs cryptographic operations (signing, decryption, key generation) without ever exposing the private key — it remains inside the hardware perimeter, protected by physical countermeasures (anti-intrusion sensors, automatic key zeroisation on any tampering attempt).

HSM certifications: to be qualified under the eIDAS regulation, an HSM must meet strict standards — FIPS 140-2 level 3 or FIPS 140-3 level 3+ (US NIST standard), and/or Common Criteria EAL4+ (European standard). Common Criteria-certified HSMs are eligible to host qualified electronic signature (QES) keys and qualified timestamp keys. The European Trusted List references the authorised HSMs for each qualified provider.

Cloud HSM vs physical HSM: historically HSMs were dedicated appliances installed in private datacentres. Cloud providers now offer shared or dedicated HSMs as a service — AWS CloudHSM, Azure Dedicated HSM, Google Cloud HSM, alongside national HSMs operated by European QTSPs. The eIDAS 2.0 regulation explicitly recognises cloud HSMs for remote qualified signing.

HSM and encryption: beyond signing, HSMs protect database encryption keys, disk-encryption keys (BitLocker, FileVault, LUKS), root keys of internal PKIs, and application secrets. Key rotation, backup and revocation are managed via the PKCS#11 standard or proprietary interfaces.

Certyneo implementation: remote-signature cryptographic keys are hosted in Common Criteria EAL4+ HSMs operated by our qualified trust service provider (QTSP). No private key is ever accessible to Certyneo or its hosting partner — every signing operation goes through strong authentication of the signer and an API call to the HSM, which returns the signature without exposing the key. See also QSCD and cloud signature.

Frequently asked questions

What is an HSM (Hardware Security Module)?

An HSM is a dedicated, tamper-resistant hardware device that generates, stores and uses cryptographic keys inside certified hardware. The private keys never leave the module in clear form, which is why HSMs underpin the trust of qualified electronic signatures and seals.

What is an HSM used for?

In a signature platform the HSM holds the signing keys and performs the cryptographic signing operation itself, so the key material is never exposed to the application server. HSMs are also used to protect TLS keys, PKI certificate authorities, payment processing and database encryption.

What is the difference between an HSM and software key storage?

A software keystore keeps keys in a server's memory or disk, where a single breach can copy them. An HSM keeps keys inside certified, tamper-resistant hardware (FIPS 140-2/3, Common Criteria EAL4+) and only ever exposes signing or decryption operations, never the keys themselves.

Is an HSM required for a qualified electronic signature under eIDAS?

Yes. Under eIDAS a qualified electronic signature must be created with a Qualified Signature Creation Device (QSCD). In practice the QSCD is a certified HSM operated by the qualified trust service provider, which protects the signer's key to the regulation's highest standard.

What is a cloud HSM?

A cloud HSM is a certified hardware module delivered as a managed service, giving an organisation HSM-grade key protection without operating the hardware itself. Remote qualified signing relies on cloud HSMs held by the trust service provider.

Ready to put these concepts into practice?

Certyneo allows you to create eIDAS-compliant signature envelopes in a few clicks, without installation.