Skip to main content

eIDAS and SAM

This section explains how Securosys Primus HSM and CloudHSM can help you build secure and compliant solutions for eIDAS.

The European Union's eIDAS regulation (Electronic Identification, Authentication, and Trust Services) establishes a common legal ground for electronic identification (eIDs) and trust services (electronic signatures, seals, timestamps, and website certificates) in the European single market.

Among other things, the eIDAS regulation aims to achieve:

  • Inter-operability of eID and trust service schemes across borders.
  • Legal equivalence of electronic signatures to hand-written signatures on paper.

To reach these goals and maintain trust, high security standards are required to protect the secret signing keys. Notably, these security requirements cannot be achieved with software alone. They require tamper-protected hardware, strict access control, and secure operating procedures.

eIDAS-compliant solutions fall into two deployment categories:

  1. Local: Secret key material is kept locally on small devices such as USB security tokens or smart cards. However, this decentralized approach puts burdens on users to manage these devices, install companion software to use them, and — most of all — not lose them.
  2. Remote: Secret key material is kept centrally on a Hardware Security Module (HSM). This is more convenient for users, since they don't need additional hardware and can log in via a simple mobile app or web interface. It also increases reliability and availability, since HSMs can be set up in a geo-redundant high availability cluster and since they are professionally managed by a Qualified Trust Service Provider (QTSP). Usually, the HSM is a network appliance, with a lot of storage and high performance, capable of serving hundreds of thousands of users.

HSMs for QTSPs

This is where Securosys comes in. On-premise Primus HSMs or Securosys CloudHSM enable QTSPs to build high performance trust services compliant with eIDAS. Notably, Securosys HSMs provide both the Cryptographic Module (CM) and the Signature Activation Module (SAM) in a single box. The CM and the SAM are the core building blocks of any remote signing architecture for Qualified Electronic Signatures.

eIDAS simplified architecture diagram

For more details on the deployment architecture, see the How It Works guide.

Benefits of Using a Primus HSM for eIDAS

  • Supports personal Qualified Electronic Signatures and Qualified Electronic Seals for organizations.
  • Qualified Electronic Seals: Define m-of-n policies to require multiple people to come together to sign on behalf of a company or institution.
  • Comply with the eIDAS technical standards: Primus HSM is tamper-protected and Common Criteria certified.
  • No need for an external SAM solution: The built-in Smart Key Attributes (SKA) feature can be used to control access to the signing keys.
  • High performance and high availability: Up to 30 GB of storage space, scaling to millions of transactions per second in a clustered setup.
  • Future-proof: Includes support for Post Quantum Cryptography (PQC).

Getting Started

  • Read the white paper for a high-level background on eIDAS.
  • Read the How It Works guide for a technical explanation of building eIDAS solutions with Primus HSMs.
  • Follow the installation guide for setting up a Primus HSM for your eIDAS application.
  • Look up the abbreviations in the glossary.
Get started withCloudHSM for free.
Other questions?Ask Sales.
Last updated on
Feedback
Need help?