Configuring HSM for Key Storage

Overview

Hardware Security Modules (HSMs) are tamper-resistant physical devices that safeguard cryptographic keys and perform cryptographic operations in a hardened environment. Keys stored in an HSM never leave the device boundary, providing the highest level of key protection. This skill covers configuring HSMs using the PKCS#11 standard interface, including key generation, signing, encryption, and key management using both physical HSMs and SoftHSM2 for development.

Objectives

• Configure SoftHSM2 as a development PKCS#11 provider
• Generate and manage keys inside the HSM via PKCS#11
• Perform cryptographic operations (sign, verify, encrypt, decrypt) using HSM-resident keys
• Implement HSM-backed certificate authority operations
• Configure key access policies and user authentication
• Interface with cloud HSM services (AWS CloudHSM, Azure)

Key Concepts

HSM Compliance Levels

PKCS#11 Architecture

Application --> PKCS#11 API --> HSM Provider --> Hardware HSM
                                    |
                              (SoftHSM2 for dev)

Key Objects in PKCS#11

Security Considerations

• Never export private keys from HSM (use CKA_EXTRACTABLE=False)
• Use separate slots/partitions for different applications
• Implement multi-person key ceremony for CA root keys
• Enable audit logging for all HSM operations
• Implement HSM backup and disaster recovery
• Use strong PINs and enable SO (Security Officer) PIN

Validation Criteria

• SoftHSM2 initializes with token and user PIN
• AES key generates inside HSM
• RSA key pair generates inside HSM
• Encryption/decryption uses HSM-resident keys
• Signing/verification uses HSM-resident keys
• Keys cannot be exported (non-extractable)
• Key listing shows all HSM-stored objects