Services - How we build Applications based on HSMs

  1. Home
  2. Services
  3. Services - How we build Applications based on HSMs

How We Build Applications Based on HSMs

We design and implement applications so that all critical cryptographic operations and key management are handled by Hardware Security Modules (HSMs), not by the application code or standard storage. This approach significantly reduces the risk of key theft, data breaches, and unauthorized use of cryptographic material.

1. HSMCentric Architecture

Keys never leave the HSM
  • Cryptographic keys (signing, encryption, decryption, keywrapping) are generated directly inside the HSM.
  • Private keys are nonexportable: the application can only request operations (e.g., “sign this hash”), not read the keys.
Application as a client of the HSM
  • Our services interact with HSMs through secure APIs (PKCS#11, cloud Key Vault / HSM integrations, vendor SDKs).
  • Business logic remains in the application, while cryptographic logic and key protection are delegated to the HSM.
Separation of responsibilities
  • Application tiers focus on domain logic, user flows, and integrations.
  • The HSM/security layer is responsible for key generation, rotation, signing, decryption and enforcement of crypto policies.

2. Secure Key Management Lifecycle

Secure key generation
  • Keys are generated with highquality hardware random number generators inside the HSM.
  • Key sizes and algorithms follow current best practices and compliance requirements (e.g., RSA, ECC, AES, compliant curves and lengths).
Key usage policies
  • Each key has strict usage permissions (sign only, decrypt only, wrap/unwrap, etc.).
  • Rolebased access control governs which applications and services may use which keys.
Key rotation and expiry
  • We design applications to support automatic and regular key rotation without downtime.
  • Old keys are gracefully phased out while still available for decrypting historical data if required.
Key backup and recovery
  • Backups are performed using secure, vendorapproved procedures, with keys always remaining encrypted and protected by HSM security boundaries.
  • Processes for disaster recovery are defined and tested to ensure availability without compromising security.

3. Cryptographic Operations in the HSM

Digital signatures and certificates
  • Signing keys used for documents, transactions, tokens (e.g., JWTs) and certificates are stored in HSMs.
  • Signature operations are executed in the HSM, providing nonrepudiation and high assurance that keys are not misused.
Data encryption & tokenization
  • Sensitive data (personal data, payment data, secrets) is encrypted with keys protected by the HSM.
  • We support envelope encryption and tokenization patterns: applications handle tokens, while the HSM protects the underlying keys.
Remote signing & authorization workflows
  • For remote signature solutions, HSMheld keys represent legal or organizational identities.
  • Our applications orchestrate user authentication and authorization, then delegate the actual signing operation to the HSM.

4. Integration with Cloud and OnPremise Environments

Cloud HSM and key vault integration
  • For cloud environments, we leverage native key management solutions backed by HSMs (e.g., cloud Key Vault + HSM tiers).
  • Applications use managed identities/secure credentials to access keys; secrets are not hardcoded nor stored in plain text.
Onpremise HSM integration
  • In onpremise setups, we integrate with networkattached or PCIe HSMs, following vendor best practices for performance and security.
  • Communication with HSMs is encrypted and authenticated; only authorized services can send cryptographic requests.

5. Security Governance and Compliance

Rolebased administration
  • Administrative access to HSMs is strictly controlled, separated from application and operational roles.
  • Dualcontrol and quorum policies can be adopted for highly sensitive key operations (e.g., key deletion, master key operations).
Auditability and logging
  • Security events (key usage, failed attempts, administrative changes) are logged and can be integrated into SIEM systems.
  • This supports compliance requirements and enables detailed forensic analysis if needed.
Standards and regulation alignment
  • Our HSMbased solutions can be aligned with industry standards and certifications (e.g., FIPS 1402/3 HSMs, eIDASstyle qualified signatures, PCIDSS for payment data).

6. Application Design for HSM Usage

Abstraction layer for cryptography
  • We implement a dedicated cryptographic service or library inside the solution that abstracts HSM calls.
  • Business services call a stable interface (Sign, Encrypt, Decrypt, ValidateSignature), which internally routes the operation to the HSM.
Performance & scalability
  • For high volume scenarios, we design efficient use of HSM resources (batching operations where possible, caching nonsensitive metadata, proper connection pooling).
  • The overall architecture can be scaled horizontally while relying on centralized key protection in the HSM.
Secure fallback and error handling
  • If HSM operations fail, the application fails securely (no downgrade to software keys, no bypass of cryptographic checks).
  • Alerting and monitoring are in place to quickly react to HSM or connectivity issues.