What is Hardware Security Module (HSM)?
A tamper-resistant physical device that manages and protects cryptographic keys, performing encryption operations in a secure environment.
HSMs are dedicated hardware devices that safeguard the most sensitive cryptographic operations.
What They Do
- Generate, store, and manage cryptographic keys
- Perform encryption/decryption operations internally
- Keys never leave the HSM in plaintext
- Tamper-resistant — physical attacks destroy the keys
Where They're Used
- Certificate Authorities (signing SSL certificates)
- Banks (processing financial transactions)
- Cloud providers (managing customer encryption keys)
- Government agencies (classified communications)
- Cryptocurrency exchanges (securing hot wallets)
Consumer Equivalents
- YubiKey: A miniature HSM for personal authentication
- Trezor/Ledger: Hardware wallets are essentially HSMs for cryptocurrency keys
- TPM (Trusted Platform Module): An HSM built into most modern computers
Why It Matters
Software-based key storage is vulnerable to malware, memory dumps, and side-channel attacks. HSMs provide a hardware root of trust that software alone cannot achieve.
Related Terms
Encryption
The process of converting information into a code to prevent unauthorized access. Encryption transforms readable data (plaintext) into an unreadable format (ciphertext) using a cryptographic algorithm and key. Only those with the correct key can decrypt and read the original data.
Hardware Security Key
A physical device used for authentication that provides the strongest form of two-factor authentication. Hardware keys are immune to phishing attacks because they cryptographically verify the legitimacy of the website before responding.
Key Wrapping
A technique for encrypting cryptographic keys using another key, protecting keys at rest and during transport.
Have more questions?
Use our guided flow to get the right next privacy step for Hardware Security Module (HSM).
Open Guided Flow