Primus HSM - Features & Customization Options
Primus HSMs support a multitude of features. The most common features are supported without any additional licensing. Additional options are available for more specific use cases.
Features
Various Models
Primus HSMs combine scalable performance with enterprise-grade flexibility in a compact network appliance, making them suitable for organizations of all sizes. They offer a strong performance-to-price ratio, from entry-level to high-performance models. With local key storage up to 30 GB (plus optional external storage), they support millions of keys. For multi-tenant deployments, the Primus CyberVault supports up to 1,000 isolated partitions, each with dedicated keys, users, policies, and remote access via Decanus Terminal — ensuring secure, scalable, and cost-efficient operation.
Secure HSM Access
Ensure strong protection for your cryptographic operations with a secure, AES-256-GCM encrypted connection between the Primus API Provider and the Securosys Primus HSM. This client-side integration guarantees high-assurance, end-to-end security for all communications.
Secure Storage and Control of Key Usage
Securosys Primus HSM provides features to protect keys from export, import, or deletion at the level required by your use case. Typically, keys are generated within the HSM but of course, they can also be imported if required by your security policy. However, they are controlled by specific Partition security policy settings on the HSM Partition.
Depending on the requirements, deletion of keys can be prevented by setting the Partition security policy to read-only or by using Key Invalidation a unique feature of Primus HSMs. When using Key Invalidation, a key deleted via the API is only marked as invalidated but remains stored in the HSM until deleted by the Security Officers. Key Invalidation is a very effective measure to protect against accidental key deletion and to enforce the principle of multistage control.
Cryptographic Agility and Set of Algorithms
Among many cryptographic schemes, Securosys Primus HSM supports symmetric (AES, 3DES, Camellia, ChaCha, Poly1305), asymmetric (RSA, ECC, Diffie-Hellman), hashing (SHA-2, SHA-3) and PQC algorithms.
View the list of algorithms and functions.
Primus HSM guarantees full crypto agility due to its dynamic architecture.
If any cryptographic algorithm becomes obsolete or a new standard emerges, the crypto-agile architecture allows the HSM to be upgraded through a firmware update, ensuring continued compliance and security.
Roles and Access Control
Primus HSMs provide different roles and access control to allow for planned and secure access management. Some of these roles allow for m-out-of-n authentication.
See the Roles and Access Control tutorial for more information.
The Decanus Terminal allows the option to manage the multiple Primus HSMs or HSM partitions remotely.
VaultContainers
The Securosys VaultContainers platform is a secure runtime subsystem, running inside the HSM. It enables Securosys provided containers to be loaded into the HSM and enhance the security of your systems.
Running these containers inside the HSM allows the different containers to communicate directly with the Partitions and each other. The platform allows for multiple containers to run concurrently within the same HSM. Clients can decide on the number of containers they load and the composition - choose from VaultCode, TSB, KMS and more in the near future.
The VaultContainers platform is part of the CyberVault HSM base license.
VaultCode
One such container is VaultCode, allowing clients to execute custom code with HSM-backed security and attestation.
The custom code is uploaded to VaultCode as a .jar executables.
VaultCode generates a signed evidence (an attestation) of its environment, the time, the code being executed, and the output. This provides a verifiable statement about the code's integrity and behavior.
Learn more about VaultCode.
High Availability and Failover
High Availability (HA) ensures that multiple Primus HSMs work together to provide continuous cryptographic service without interruption. By clustering multiple HSMs, other HSMs can continue processing requests when an HSM fails or is taken offline. The HSMs in a cluster constantly synchronize their keystores and their settings. This setup enables load balancing and redundancy, minimizing the risk of downtime.
Additionally, the manual cloning feature enables the creation of offline clones that are created once and don't synchronize with the rest of a cluster.
See the High Availability tutorial for more information.
Backup
With Securosys Primus HSMs, the data is synchronized between all the HSMs within the HA cluster, thus offering a high degree of redundancy. Even so, backups are recommended for business continuity and the Securosys Primus HSMs allow for them.
Primus HSM backups can be restored on the same Primus HSM device fully or selectively when required. Backups can also be used to restore an obsolete device to a new one for cases where the obsolete device is no longer operational.
See the Backup and Restore tutorial for more information.
Application Integration
Securosys Primus HSMs provide a wide selection of Application Program Interfaces. It can be used with almost any business application ranging from Identity Access Management, Public Key Infrastructure, strong authentication, database encryption, electronic signature to raw data encryption, and blockchain validation.
To see all available integrations, visit the solutions explorer.
Attestation and Audit Functionality (Key Attestation)
Key Attestation enables third parties to verify that a key is securely stored in a Primus HSM. This streamlines audits: historically, you needed a paper trail of the entire history of how your keys were created, stored, and managed. With key attestation, you can prove that a key was generated inside a Primus HSM and has never been extracted.
Key attestation works by signing a statement about the key, its metadata, and the HSM environment. The signature can be verified with a certificate chain that leads up to the Primus HSM Root Certificate. This root certificate links the chain of trust to the hardware and to Securosys as the manufacturer. For more details on the verification process, see the Audit and Attestation application notes.
See the Key Attestation tutorial for more information.
Key Invalidation
Key invalidation creates a shadow copy of the key in a "trash bin" when the key is deleted. This prevents accidental deletion of valuable keys via the API. The Security Officer role in charge of the Partition can then in a manual step delete the invalidated keys, or in case of an unintended deletion can reactivate individual key(s).
See the Key Invalidation tutorial for more information.
Options
In addition to the default features available out-of-the-box, Securosys Primus HSMs also offer a range of optional features which require additional licensing or products.
Please contact sales to provide you with a quote.
Smart Key Attributes (SKA)
Securosys Smart Key Attributes provide fine-grained authorization and usage rules for private keys. For example, applications can define an authorization policy for the private-key by using quorums, timelocks, and timeouts. Additionally, the application can set traditional key attributes to limit key usage to certain operations (sign, decrypt, unwrap).
Consider a PKI where you want to enforce that the CA root key can only be used under certain conditions. With SKA, you can assign a policy to the CA root key that this key can only be used if 3 out of 5 supervisors (e.g. representatives of different departments identified by their public keys) approve the operation within a given time frame.
Learn more about Smart Key Attributes (SKA) or visit our Smart Key Attributes (SKA) product page.
Transaction Security Broker (TSB)
The integration of the Smart Key Attributes (SKA) requires creating approval workflows. The Transaction Security Broker (TSB) is designed to make it easier to build these workflows. When the TSB receives a key usage request from an application it notifies all supervisors (approval clients) of the pending task. Once enough approvals are given, the TSB forwards the key usage request to the Primus HSM. The HSM then verifies the approval signatures, and if the SKA policy is satisfied, the HSM executes the request.
Learn more about the Transaction Security Broker (TSB).
Cryptocurrencies
Securosys Primus HSM supports several blockchain algorithms, with features tailored to meet the specific needs of various cryptocurrencies. It includes support for popular currencies such as Ethereum (ETH), Bitcoin (BTC), Cardano (ADA), Ripple, IOTA, and others. Additionally, the system supports key derivation on asymmetric keys through a built-in SLIP-0010 (BIP32) mechanism, promoting secure and efficient key management.
View the list of supported cryptocurrencies.
Additionally, Primus HSM supports returning only the address (usually the hash of the public key) when generating a key pair. This ensures that the public key only leaves the HSM when the first signing operation is done. When combined with single-use addresses, this provides protection against the risk of a quantum computer computing the private key from the public key.
Post-Quantum Cryptographic (PQC) Algorithms
Securosys Primus HSM offers robust support for cutting-edge Post-Quantum Cryptographic (PQC) algorithms, ensuring enhanced security in the face of evolving threats. Among the supported algorithms are ML-DSA (CRYSTALS-Dilithium), ML-KEM (CRYSTALS-Kyber), SLH-DSA (SPHINCS+), HSS-LMS, and XMSS, providing advanced cryptographic capabilities that align with the latest security standards and protocols.
View the list of PQC algorithms.
HSM Remote Administration (Decanus)
Remote management of secure devices such as HSMs has always been a challenge—balancing safety, reliability, and cost-effectiveness. The Decanus solves this problem.
This remote control terminal enables HSM administrators to remotely manage up to 64 Primus HSMs, eliminating the need for frequent and costly trips to data centers.
Each Decanus must be manually paired with the HSM by the Security Officer (SO), ensuring that only authorized Decanus terminals can connect to the HSM. Since the Decanus is tamper-proof, any attempt to tamper with it will erase the pairing secrets.
See the Primus HSM - Device Management for more information.
Partition Administration (Decanus)
Partitions provide separation between multiple applications using the HSM. Each Partition is a dedicated space with separate key storage and separate security settings. This enables multi-tenant operations.
Partition Administration allows operators to control only a single Partition (as opposed to the whole HSM). This allows tenants to fully control and own their Partition. This includes:
- Resetting application credentials
- Changing the Partition's security configuration
- Restoring and deleting invalidated keys
- Exporting Partition logs
- Backup and restore the Partition
Partition Administration is done by Partition Security Officers (PSOs) using the Decanus Terminal.
Timestamp Service
The Timestamp Service enables the generation of timestamps in compliance with the RFC 3161 as required by standard ETSI EN 319 422. It covers the necessary operations to support timestamping services, allowing users to create tamper-proof records of the time and date when a document or transaction was signed.