Primus HSM - Key Encryption Key

As the name suggests, the KEK is applied to encrypt all encryption keys, but also all data files and certificates. The KEK is stored in a special, highly protected, and non-traceable memory vault. The KEK is erased in specific cases:

A factory reset is performed
A tamper event occurs
Zeroization occurs
The Primus HSM is without power for an extended period of time (approx. for five years)

Once the KEK is erased, all data files, encryption keys, and certificates are lost as they are not possible to be decrypted anymore. Due to this, the Primus HSM would have to be setup anew.

Because events leading to the erasure of the KEK might occur, it is, at minimum for encryption/decryption applications, essential to set up at least two devices – one Master and one Clone device. See High Availability for more information about clustering the Primus HSMs.

Get started withCloudHSM for free.

Need help?Contact Support.

Other questions?Ask Sales.