Skip to main content
Information Security

Questions tagged [hsm]

Ask Question

an abbreviation for Hardware Security Module which is a security device that is compliant with PKCS11 standard and which is a secure storage for data specially private keys.

155 questions
Newest Active Bountied Unanswered
4 votes
4 answers
650 views

Roughly speaking HSM is supposed to ingest or generate some secret material (key) and then never export them through the command interface. The keys can only be used according to their configured ...
user1641237's user avatar
  • 41
2 votes
0 answers
154 views

I want to understand key-protection approaches from an implementation standpoint choices against physical-security on general-purpose devices. Assume levels similar to FIPS 140: L1: None → Low, L2: ...
t3kt0n1c's user avatar
  • 31
0 votes
1 answer
231 views

If TLS is disabled on a network-attached Hardware Security Module (HSM), but the device still enforces: IP-based access control (only whitelisted client IPs can connect), and PKCS#11 slot PIN ...
user's user avatar
  • 101
0 votes
1 answer
134 views

I'm trying to understand the interaction between NGINX and a Hardware Security Module (HSM) during TLS offloading, particularly in relation to session key handling. Here's my current understanding: ...
Latte Xu's user avatar
  • 51
8 votes
5 answers
2k views

TL;DR What is the point of having hardware based HSM/FIPS based protection for the private key when the ability to sign is "only" protected by credentials / API keys? Background In the past, ...
Martin's user avatar
  • 1,519
0 votes
1 answer
212 views

I'm trying to set up an Nginx proxy that uses a private key stored in SoftHSM through a SSH socket connection. The setup is as follows: [SoftHSM Container] -----ssh -R ...... --> [Nginx Proxy ...
Latte Xu's user avatar
  • 51
0 votes
0 answers
164 views

I'm trying to securely encrypt and decrypt data using a biometric info, i.e. a fingerprint, on a Raspberry PI. From my prior research, I have found that I need an HSM, since fingerprints cannot be ...
Ezlanding's user avatar
  • 125
-1 votes
1 answer
288 views

I'm trying to make a device that will encrypt and store data. It should require a master password at startup, but then shouldn't need anything else to decrypt the data throughout the lifetime of the ...
Ezlanding's user avatar
  • 125
1 vote
0 answers
162 views

I am trying to follow this tutorial https://p11-glue.github.io/p11-glue/p11-kit/manual/remoting.html , but there are many points making me confused. Which side is pkcs11 server? It said "Setting ...
Latte Xu's user avatar
  • 51
1 vote
0 answers
150 views

I am setting up a nginx proxy. It requires to use HSM for TLS offloading. So I configure nginx that enables ssl_engine pkcs11;; instead of indicating ssl_certificate_key file path, I use pkcs11 URI to ...
Latte Xu's user avatar
  • 51
0 votes
0 answers
100 views

I am trying to find the locations on the embedded devices with micros that don't support HSM/SHE. What are the ideas/suggestions for storing the symmetric keys? I found solutions that suggest using ...
user3814614's user avatar
  • 1
1 vote
0 answers
305 views

I'm a bit confused with PKCS11 (v3) standard... In particular, it's blurry to me if one can invoke C_DeriveKey, passing, say, CKM_SHA512_KEY_DERIVATION (or some HKDF) to it as the mechanism and also ...
Nikita Kalinichenko's user avatar
  • 11
0 votes
1 answer
310 views

I need to store a large amount of AES keys and provide an API to decrypt user-provided ciphertext. The application flow is as follows: The user authenticates The user makes a POST request with some ...
Riccardo Salve's user avatar
  • 1
1 vote
1 answer
1k views

I need to use the CVK Key (in key block format) to calculate the CVV2. In the past, I have always used single keys in variant format for this purpose (CVKa + CVKb), and the calculation procedure is ...
MaXbeMan's user avatar
  • 21
1 vote
1 answer
785 views

we have a concern about a key export. We completed the migration to Key Block LMK in our environment (with HSM Thales 10K). Now, we have to exchange keys with third-parties that still use Keys in ...
MaXbeMan's user avatar
  • 21

15 30 50 per page
1
2 3 4 5
11