Skip to main content


This document describes how to integrate easily Securosys CloudHSM (HSM as a service) or on-premises Primus HSM cluster with CyberArk Privileged Access Manager (CyberArk Digital Vault), enabling the advantages of secure key generation and storage on the HSM, and to comply with regulatory requirements. CyberArk's Privileged Access Manager - Self-Hosted is a full life-cycle solution for managing the most privileged accounts and SSH keys in the enterprise. It enables organizations to secure, provision, manage, control and monitor all activities associated with all types of privileged identities, such as:

  • Administrator on a Windows server,
  • Root on a UNIX server,
  • Embedded passwords found in applications and scripts.

Integrating Securosys CloudHSM or Primus HSM with CyberArk PAM solution and provides an array of benefits including:

  • Highest-grade secure hardware storage, protection and True-RNG key generation,
  • Full life cycle management of all keys stored on your HSM or HSM partition,

The CyberArk PAM integration with Securosys CloudHSM or Primus HSM requires the installation of the Primus PKCS#11 Provider on the CyberArk server.

Securosys CloudHSM is a Hardware Security Module (HSM) available as cloud service, without having to worry about time consuming things like evaluation, setup, operation, redundancy, and maintenance of the HSM in-frastructure, and is scalable according to your needs. The redundant cluster architecture, providing different redundant regions up to redundant world-wide cluster, fits perfectly in CyberArk’s Vaulting Technology®.

Target Audience

This document is intended for Securosys Primus HSM or CloudHSM administrators and IT professionals in charge of the CyberArk PAM administration. Installation of the Securosys Primus PKCS#11 Provider requires that you are already familiar with Microsoft Windows Server administration.

For on-premises HSM deployed operation administrative skills are required for Securosys Primus HSMs.

Support Contact

If you encounter a problem while installing/configuring the provider or integrating the HSM with the plugins, make sure that you have read the referenced documentation. If you cannot resolve the issue, please contact Securosys Customer Support. For specific requests regarding Securosys Docker Image Signing and Encryption plugins, the Securosys Support Portal is reachable under

What's Next

For a smooth start integrating your Cyberark PAM Vault using the Primus PKCS#11 Provider:

  • Consult the Quick Start Guide for a comprehensive task listing.
  • For detailed instructions, read and follow the Installation guide.
  • Secure CyberArk Vault Server Keys using CloudHSM or Primus HSM following the Tutorial section.