FAQ

CloudHSM

What is Securosys CloudHSM?

Securosys CloudHSM is a managed Hardware Security Module (HSM) service. It provides secure, cloud-based HSMs for generating and managing encryption and signing keys used by your applications.

CloudHSM allows you to leverage the security and performance of Securosys Primus HSMs, without having to worry about the day-to-day maintenance activities: from hosting hardware in multiple data centers, taking regular backups, managing Security Officer (SO) credentials, to deploying firmware updates.

How does CloudHSM work?

CloudHSM consists of a cluster of multiple geo-redundant Primus HSMs. Your business applications connect to CloudHSM over the network, same as they would connect to an on-premise Primus HSM cluster.

To learn more, see the Architecture section.

How can my application access and use CloudHSM?

Your applications can use CloudHSM to create, store, and use cryptographic keys (signing, decrypting, wrapping, ...).

Applications can connect to CloudHSM using one of the available APIs, such as REST, PKCS#11, or JCE.

How do I get started with Securosys CloudHSM?

1. Subscribe to a CloudHSM service.
2. Download the HSM credentials.
3. Install the API Provider alongside your application.
4. Configure your application with the HSM credentials.
5. Your application should now be able to access CloudHSM.

How do I terminate a Securosys CloudHSM service?

You can terminate a CloudHSM Service through the Cloud Console or by contacting Securosys Support.

Cloud Console

What is Cloud Console?

Cloud Console is a web application that provides access to a wide collection of services around Securosys CloudHSM in one single place. Using Cloud Console you can explore and subscribe to various CloudHSM solutions online with a few clicks. You can also manage your existing subscriptions.

Why do I need an account to access Cloud Console?

You need an account to:

• Receive HSM credentials
• Have a pricing offer tailored to your country/VAT

If you simply want to browse information, most of it is available:

• On our Company website
• In the CloudHSM Documentation

Billing

How will I be charged and billed?

When you subscribe online, you will be automatically charged on a monthly basis to the credit card selected during the subscription process.

If you subscribe via a Sales representative, you will be billed using your selected payment method.

You can cancel anytime.

Is there a Free Tier?

No, there is no free tier available. But there is a 90-day free trial for the CloudHSM Sandbox (SBX) service.

Do charges vary depending on how many keys I create or use?

No, the monthly fee does not depend on how much you use your HSM.

However, the number of keys you can create is limited by your partition size.

Provisioning and operations

Do I need to manage the firmware on my HSM?

No, the firmware is regularly updated by Securosys as part of normal maintenance.

Note that during firmware updates, an HSM will be temporarily unavailable. Therefore, it is important that you configure your application with a list of all HSMs in the cluster, so that it can automatically fail over to another HSM. CloudHSM devices are updated sequentially, therefore at least one device will always be available to service requests.

Do I need to create backups?

Securosys takes daily backups of the HSM, including all customer partitions.

If desired, you can also create Partition Backups yourself. This requires that you have onboarded to Partition Administration for your CloudHSM partition. This is subject to a cost.

For details, please see the Terms & Conditions.

Is there an SLA for Securosys CloudHSM?

Yes. Please see the Terms & Conditions for details.

Security and Compliance

Do I share my Securosys CloudHSM resources with other customers?

For most CloudHSM services, you receive access to a single HSM Partition. This Partition is unique to you. It has a separate keystore, separate security configuration settings, and separate logs. Multiple customers share the same underlying HSM hardware, but the Partitions are independent and cannot interact with each other.

If you require an HSM that is dedicated to you only, please consider the Platinum or HOS service packages.

Can I monitor my HSM?

You can retrieve the partition logs of your CloudHSM partition via the normal APIs (PKCS#11, JCE, etc.).

What happens if someone tampers with the HSM hardware?

HSMs are designed to detect tampering. They will rather destroy all data that they store, than let an unauthorized person access the keystore. Therefore, if someone were to gain access to a CloudHSM data center and would try to tamper with the HSM, the Primus HSM will wipe itself.

For business continuity, every CloudHSM service is operated in a cluster of at least three (3) devices. This ensures that even if one HSM goes down, the others are still available and hold a copy of the keystore.

Do I lose my keys if a single HSM fails?

No. The CloudHSM services are operated in a cluster of at least three (3) devices. Keys created on one HSM are automatically synchronized to the other HSMs. Additionally, Securosys takes daily backups.

Does Securosys CloudHSM services support FIPS 140-2 Level 3?

Yes, Securosys CloudHSM is powered by physical Primus HSMs, which are FIPS 140-2 Level 3 Certified.

View all certifications.

Why is FIPS 140-2 Level 3 important?

FIPS 140-2 Level 3 indicates that the HSMs have strong physical security, controlled access, and robust key management practices, making it suitable for protecting sensitive information.

Performance and capacity

How many cryptographic operations per second can CloudHSM perform?

The performance varies by service package and type of operation. For example, signing with RSA is much faster than generating an RSA key. Similarly, elliptic curve signing is faster than RSA signing.

How many keys can be stored in a CloudHSM Cluster?

This varies on your partition size and the type of keys. For example, an AES-256 key is much smaller than an RSA-4096 key or an ML-DSA-65 key.

Migrating to CloudHSM

Can I migrate from another HSM vendor to CloudHSM?

It is possible to import keys into Primus HSM (and thus into CloudHSM). The recommended way is to:

1. Generate a new wrapping key on Securosys CloudHSM.
2. Transfer the wrapping key to your old HSM.
3. Export your keys, securely wrapping them using the wrapping key.
4. Import the wrapped keys into Securosys CloudHSM, which will unwrap them.

Wrapping ensures that your keys are never exposed as they travel between HSMs.

However, this requires that your keys have been marked as extractable when you generated them on your original HSM.

Please contact us and we will be happy to advise you on your use case.

Can I migrate from an on-premise Primus HSM to CloudHSM (or back)?

Generally yes, with some exceptions. Please see the migration guide for details.

Support and maintenance

Does Securosys CloudHSM have scheduled maintenance windows?

Maintenance windows are announced on the CloudHSM status page.

I am having a problem with Securosys CloudHSM. What do I do?

• Use the Search feature of this documentation to find the answer.
• Ask the chatbot on this documentation site.
• Open a ticket on the Support Portal.