KMS & HSM – a Match Made in Heaven

A Key Management System (KMS) is a critical part of any modern enterprise's security tool suite, while Hardware Security Modules (HSM) are increasingly used to improve the quality and protection of cryptographic keys. Combining an HSM with a KMS delivers the best in security and manageability, but only when done in the right way.

Why is Key Management Important?

Cryptography lies at the heart of enterprise security, where it is essential for protecting sensitive and private information from those with malicious intent.

Common cryptographic use cases include:

encrypting data at rest, in motion or in use
digitally signing and verifying code, documents, etc.
making electronic payments
buying and selling cryptocurrencies

There are many cryptographic algorithms available for such use cases, including modern, post-quantum algorithms; but what they all have in common is the need for a “key” or “key pair” that controls ownership over the encrypted or signed data. It is imperative that these keys are adequately protected and managed, as a compromised key results in compromised data.

“Key Management” is the practice of managing cryptographic keys through-life, from generation to destruction – who can use them, what they can be used for, when they expire, and so on. For enterprises, that typically have countless thousands of keys, this requires a secure and scalable KMS.

This is so important that the US National Institute of Standards and Technology (NIST) has published a 3-part standard on key management comprising over 300 pages [source]!

Key management is not just a best practice - it is oftentimes a compliance requirement. Standards and regulations such as PCI-DSS, HIPAA, GDPR and ISO 27001 mandate strict handling of cryptographic keys, with expectations for secure storage, usage, and auditability.

Why Use an HSM?

Generating, storing and using cryptographic keys on a standard computing platform is risky. Any unpatched or zero-day software vulnerability could lead to the key (and hence the data) being leaked.

To mitigate this risk, HSMs are purpose-built devices for generating keys and performing cryptography within a secure hardware boundary, typically certified to the FIPS 140 standard (another NIST publication).

Combining HSMs and Key Management

However, HSMs are usually quite simple devices with very crude key management capabilities. Hence, they are usually paired with an external KMS. However, this arrangement is sub-optimal for many reasons:

The overall security is reduced by having the KMS external to the HSM
If the HSM and KMS are from different vendors, compatibility issues may arise
It is more work to manage two systems instead of one
With two systems, access control and scaling are complicated and error prone
Each system needs its own High Availability (HA) / Disaster Recovery (DR) capabilities

Some vendors add an HSM on a PCI card into a server that is running a KMS solution, but this just combines the two components in a single box without solving many of the fundamental issues identified above, such as the KMS software running externally to the HSM.

Fortanix DSM – The Fully Integrated KMS + HSM Solution

The Fortanix DSM architecture solves these problems by combining both HSM and KMS into a single, fully integrated system with a unified management interface, audit log and set of APIs. Active-active clustering provides horizontal scalability and seamless HA/DR. It can even be provided as a SaaS solution for cloud-first organizations.

The whole system operates within the FIPS 140 security boundary, uniquely augmented by a Confidential Computing operating environment that protects data-in-use within a secure enclave or “Trusted Execution Environment” (TEE).

For enterprise key management, backed by an HSM, Fortanix DSM delivers the very best security, scalability, resilience, flexibility and usability – nothing else compares.

Ask for a demo or sign up for a free trial today!