Using HSM-protected encryption keys

In connection with (or as an alternative to) the Venafi Platform software key, Trust Protection Platform allows you to use AES encryption keys stored on supported and compatible hardware security modules (HSMs).

An HSM is a dedicated, physical device designed to securely manage, process, store, and even generate cryptographic keys. HSMs are used to enhance the security of sensitive data and cryptographic operations in many industries.

Key characteristics and functions of an HSM include:

Secure key management
Safe cryptographic operations
Tamper resistance
Compliance and certification with industry standards
Access controls
Backup and recovery

HSMs are specialized devices that provide a secure environment for cryptographic operations and key management, significantly enhancing the security posture of any organization that handles sensitive data and transactions.

An HSM must be properly connected to each server in the cluster. Connection information between the server and the HSM is stored in encrypted format in the server's Windows Registry as well as in the database's Secret Store. When you make changes (In VCC) to the HSM configuration settings, the changes are communicated to all other servers in the cluster, which will update their own Windows Registry settings with the updated information. Thus, changes to HSM configuration settings don't need to be repeated on all servers in the cluster.

IMPORTANT If you elect to use a hardware security module (HSM) to protect your assets in Trust Protection Platform, you must ensure that you use your HSM vendor's documented method to back up the keys. In addition, if you use Venafi Platform software encryption, you should ensure the software key is backed up. For information on backing up the software key, see Backing up the software encryption key.

What's next?

If you want to learn about remote vs central key generation, look at Supported methods of key generation, then you may want to review Hardware central key generation with Venafi Advanced Key Protect and Hardware remote key generation with Venafi Advanced Key Protect.
Do you need to pick an HSM vendor? Look at Supported HSMs in our System Requirements to see which HSMs are supported and which HSMs are compatible with Trust Protection Platform.
Are you ready to connect Trust Protection Platform to an HSM? You're going to need the vendor's documentation, but we've got an overview of the process in HSM Configuration.
Are you wondering about how to create an HSM connector in VCC? You'll find that in Creating a HSM connector. Don't forget to enable it in Policy Tree once the HSM software has been installed and tested on all servers in the cluster.