Skip to main content

What is CloudHSM?

CloudHSM is a managed HSM service offered by Securosys that provides cloud-based Hardware Security Modules (HSMs) to securely generate and use encryption keys with your applications. CloudHSM operates on a patented proprietary hardware and software architecture, meticulously crafted and sustained in-house, ensuring end-to-end control without any intermediaries.

CloudHSM is available with dedicated HSMs, or as shared service in multi-tenancy HSMs, either as a Global or as a Regional Swiss, Europe, North America, or Asia-Pacific Cluster. For redundancy and availability purposes, these HSMs are deployed in a cluster that keeps all data synchronous in multiple HSMs. With this setup, CloudHSM can offer any organization local, regional, and global HSM clusters, providing access points in different locations, bringing latency down and offering the service in their jurisdiction.

CloudHSM can be used for various purposes, like Public Key Infrastructures, Key Management, Identity and Access Management, Data Encryption, TLS-Termination, Document Signing, Code Signing or Crypto Custody applications. The HSM cluster is accessible over the internet to authenticated subscribers. As a subscriber, you create, manage, and use the cryptographic keys within your partition by yourself and maintain full control over your key data. The CloudHSM service and the underlying HSM cluster is operated and maintained by Securosys.

By using the Decanus Terminal’s Partition Administration functionality, you don’t need to trust anyone and can fully control access to your own partition, make configuration changes, download backups, and even disable HSM administrator access to your partition. This way you get all the security advantages of your own HSM without all the headaches and costs.

CloudHSM comprises the following services:

  • HSM as a Service (HSMaaS), including:
    • a multi-tenancy HSM; or
    • a dedicated HSM owned and operated by Securosys; or
    • a customer owned HSM operated by Securosys; or
    • a multi-tenancy HSM for Bring Your Own Key purpose (BYOKaaS)
  • Transaction Security Broker as a Service (TSBaaS)
  • REST API as a Service (RESTaaS)
  • Double Key Encryption as a Service (DKEaaS)

Cryptographic Features

CloudHSM offers a range of cryptographic features:

  • Generate cryptographically secure random data.
  • Generate, store, import, export, and manage cryptographic keys, including symmetric keys and asymmetric key pairs.
  • Use symmetric and asymmetric algorithms to encrypt and decrypt data.
  • Use cryptographic hash functions to compute message digests and hash-based message authentication codes (HMACs).
  • Cryptographically sign data (including code signing) and verify signatures.
  • Generate certificates with HSM-backed keys for enhanced security.
  • Implement file encryption based on ECIES for secure data handling.
  • Key Attestation to provide proof or their origin and attributes.
  • Leverage Smart Key Attributes for multi-signature and multi-authorization functionality.
  • Crypto Currency algorithms, like Bitcoin, Ethereum, Cardano, Ripple, or IOTA.
  • Embrace Post-Quantum Cryptography to develop algorithms resilient to future quantum computing threats, ensuring long-term data protection.

The functionalities listed above are not exhaustive and depend on the service package and options subscribed to, and the selected partition security policy settings.

API Integration of your Choice

CloudHSM offers a REST API and a wide range of Primus API Providers (client API software / libraries) that are installed on the application server and that ensure secure communication with the HSM and provide automatic failover and load balancing.

Subscribers are free to choose the API that best suits their requirements from:

Service Packages

CloudHSM is a very flexible HSM as a Service offering. You can choose between Economic Services where HSMs are shared by multiple tennants, each securely partitioned in their own partition. Even if you operate HSMs yourself, our Sandbox Service can be a hassle-free alternative for a test and pre-production environment.

If you don't want to have your partitions on a multi-tenant environment, the Platinum Service is the right choice for you. With Platinum, dedicated HSMs carry only your keys and data. Some of our subscribers even buy HSMs to attain full custody and then let them run and operate in our CloudHSM service managed by Securosys.

Securosys CloudHSM service can be further tailored to your needs. Mixed mode operation with on-premise HSMs combined with CloudHSM is possible. You may also upgrade from a multi-tennant service to dedicated HSMs.