Hardware Security Module Overview

This topic only applies to Secret Server On-Premises.

Hardware Security Modules (HSMs) are specialized hardware devices designed to securely manage, process, and store cryptographic keys. Integrating HSMs with Secret Server enhances the security of secret management by providing a secure environment for cryptographic operations and key management. This integration offers several benefits, including enhanced security, compliance with regulatory requirements, and optimized performance for cryptographic operations.

Secret Server integrates with hardware security modules (HSMs). When Secret Server is configured to use an HSM, the Secret Server encryption key is protected by that HSM.

HSMs offer several security features that traditional servers cannot. Depending on the model and design of the HSM, most HSMs are designed to be physically tamper-proof. HSMs may also be independent hardware on a network, which allows physically placing the HSM is a more secure location that might otherwise be too inconvenient for a server.

To provide broad support for HSMs, Secret Server supports any HSM that can be configured with Microsoft's Cryptography Next Generation (CNG) provider or Public-Key Cryptography Standards #11 (PKCS #11). CNG is a layer provided by Windows Server 2008 and later that HSM manufacturers can interface with. PKCS #11 is an API provided by each HSM vendor that Secret Server can interface with to perform cryptographic operations. If your HSM properly supports CNG or PKCS #11 and supports compatible algorithms, Secret Server can use it.

Turning off HSM (deselecting the check box) in Secret Server may cause a "Server connection unavailable" error. If this happens, a manual reset of the IIS server should take care of it.
CNG provider installation and configuration varies from HSM to HSM; however, documentation is available from each HSM vendor on how to correctly install CNG providers or set up PKCS #11.

Key Benefits of HSM Integration

  1. Enhanced Security: HSMs significantly reduce the risk of key compromise by using a hardware-based solution for key management. They are often designed to be physically tamper-proof and can be placed in secure locations.
  2. Compliance: HSMs meet stringent security standards and compliance requirements, helping organizations adhere to regulatory mandates.
  3. Performance: HSMs are optimized for cryptographic operations, providing high performance and reliability.

Supported HSMs and Standards

Secret Server supports any HSM that can be configured with Microsoft's Cryptography Next Generation (CNG) provider or Public-Key Cryptography Standards #11 (PKCS #11). Some of the compatible HSMs include:

  • Amazon CloudHSM
  • Entrust nShield HSM
  • Securosys Primus-E20
  • Thales Luna Network HSM
  • Utimaco CryptoServer
  • Yubico YubiHSM 2

By integrating HSMs with Secret Server, organizations can achieve a higher level of security and compliance for their secret management processes.