Glossary term · H
HSM (Hardware Security Module)
Definition
An HSM (Hardware Security Module) is a tamper-resistant physical device dedicated to the secure generation, storage and use of cryptographic keys. The HSM performs cryptographic operations (signing, decryption, key generation) without ever exposing the private key — it remains inside the hardware perimeter, protected by physical countermeasures (anti-intrusion sensors, automatic key zeroisation on any tampering attempt).
HSM certifications: to be qualified under the eIDAS regulation, an HSM must meet strict standards — FIPS 140-2 level 3 or FIPS 140-3 level 3+ (US NIST standard), and/or Common Criteria EAL4+ (European standard). Common Criteria-certified HSMs are eligible to host qualified electronic signature (QES) keys and qualified timestamp keys. The European Trusted List references the authorised HSMs for each qualified provider.
Cloud HSM vs physical HSM: historically HSMs were dedicated appliances installed in private datacentres. Cloud providers now offer shared or dedicated HSMs as a service — AWS CloudHSM, Azure Dedicated HSM, Google Cloud HSM, alongside national HSMs operated by European QTSPs. The eIDAS 2.0 regulation explicitly recognises cloud HSMs for remote qualified signing.
HSM and encryption: beyond signing, HSMs protect database encryption keys, disk-encryption keys (BitLocker, FileVault, LUKS), root keys of internal PKIs, and application secrets. Key rotation, backup and revocation are managed via the PKCS#11 standard or proprietary interfaces.
Certyneo implementation: remote-signature cryptographic keys are hosted in Common Criteria EAL4+ HSMs operated by our qualified trust service provider (QTSP). No private key is ever accessible to Certyneo or its hosting partner — every signing operation goes through strong authentication of the signer and an API call to the HSM, which returns the signature without exposing the key. See also QSCD and cloud signature.
HSM certifications: to be qualified under the eIDAS regulation, an HSM must meet strict standards — FIPS 140-2 level 3 or FIPS 140-3 level 3+ (US NIST standard), and/or Common Criteria EAL4+ (European standard). Common Criteria-certified HSMs are eligible to host qualified electronic signature (QES) keys and qualified timestamp keys. The European Trusted List references the authorised HSMs for each qualified provider.
Cloud HSM vs physical HSM: historically HSMs were dedicated appliances installed in private datacentres. Cloud providers now offer shared or dedicated HSMs as a service — AWS CloudHSM, Azure Dedicated HSM, Google Cloud HSM, alongside national HSMs operated by European QTSPs. The eIDAS 2.0 regulation explicitly recognises cloud HSMs for remote qualified signing.
HSM and encryption: beyond signing, HSMs protect database encryption keys, disk-encryption keys (BitLocker, FileVault, LUKS), root keys of internal PKIs, and application secrets. Key rotation, backup and revocation are managed via the PKCS#11 standard or proprietary interfaces.
Certyneo implementation: remote-signature cryptographic keys are hosted in Common Criteria EAL4+ HSMs operated by our qualified trust service provider (QTSP). No private key is ever accessible to Certyneo or its hosting partner — every signing operation goes through strong authentication of the signer and an API call to the HSM, which returns the signature without exposing the key. See also QSCD and cloud signature.
Related guides
Related terms
Ready to put these concepts into practice?
Certyneo allows you to create eIDAS-compliant signature envelopes in just a few clicks, with no installation required.