Child pages
  • HSM Buyers' Guide

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0


Hardware Security Modules come in a variety of shapes, forms and sizes:

  • PCI cards
  • Separate units that communicate via various channels (networks, SCSI, ...)
  • Smart cards
  • USB tokens
  • Software tokens
  • etc.

The main purpose of a HSM is to safeguard cryptographic key material and/or to speed up cryptographic operations (a HSM can have either one or both of these purposes).

For the purpose of this document, HSMs are divided into four categories:

1. Software tokens

Characteristics of this category are:

  • Low price (probably free)
  • Almost unlimited storage capability
  • Speed for cryptographic operations is limited by the computer hardware
  • Lower security because the keys are not protected by hardware
  • Can be used if an HSM is not necessary, or to set up a testbed before purchasing a real HSM

SoftHSM is an example of a software token. It is provided by OpenDNSSEC.


Characteristics of this category are:

  • Low price (sub €100/unit)
  • Portable
  • Limited storage capability for key material (less than 20 RSA key-pairs)
  • Limited or no support for symmetric cryptographic algorithms
  • Limited speed for cryptographic operations

3. Medium- to high-cost cryptographic accelerators (PCI cards/separate units)

Characteristics of this category are:

  • Medium to high price (€2500 – €30000 per unit)
  • Fixed location
  • Emphasis is on acceleration of cryptographic operations not on key storage (typical product names: "SSL accelerator" or "Crypto accelerator"“SSL accelerator” or “Crypto accelerator”, etc.)
  • High speed cryptographic operations both symmetric as well as asymmetric

4. Medium- to high-cost traditional hardware security modules (PCI cards/separate units)

Characteristics of this category are:

  • Medium to high price (€2500 – €30000 per unit)
  • Fixed location
  • Large storage capability for key material (thousands of RSA keys or more)
  • Cryptographic acceleration

Of these four types of HSMs, three types are suitable for use with OpenDNSSEC (types 1, 2, and 4). Type 3 HSMs (cryptographic accelerators) are less suited for use with OpenDNSSEC because they do not always provide the means to securely and efficiently store cryptographic key material.


Most HSMs support both RSA as well as DSA key generation and signing. RSA is recommended for use with OpenDNSSEC. The RSA support should at least comply with the following guidelines:

  • On-board key generation and key storage must be supported
  • The minimum key size should be 1024 bits or less
  • The maximum key size should be at least 2048 bits or more

DSA is not recommended for use with DNSSEC in general for the following reasons:

  • The maximum key size is limited to 1024 bits
  • Validation of DSA signatures requires significantly more processing than validation of RSA signatures, thus imposing additional load on validating resolvers.

APIs for access

Most HSMs will support one or more of the following APIs for access to their cryptographic functionality:

  • PKCS #11
    This is an open standard from RSA laboratories. It is also known as "Cryptoki"“Cryptoki”.
  • OpenSSL engine
    This is not really a standard, but more of a plug-in for the OpenSSL library.
  • Microsoft CryptoAPI
    This is a closed standard that is only used on Windows systems.

To be interoperable with OpenDNSSEC a HSM must support the PKCS #11 API. The minimum supported version of the PKCS #11 API is version 2.11. A compliancy tool will be made available that tests whether the PKCS #11 module supplied with a HSM is compatible with OpenDNSSEC.


When comparing HSMs in order to decide which one to purchase it is useful to compare the speed of cryptographic operations. There are two important benchmarks to look for:

  • Signing speed for RSA
    This is usually measured in 1024-bit signing operations with public exponent 3 or 65537 per second.
  • Key generation speed for RSA
    This is usually the average key generation time for 1024-bit and 2048-bit keys measured in seconds.

In general, separate unit HSMs and PCI cards will outperform smart cards and USB tokens by a large factor.


This standard is maintained by the National Institute of Standards and Technology (NIST) which is a United States governmental body. The FIPS 140-2 standard recognises four levels to which a module can be evaluated (for a more detailed description see FIPS 140-2):

  • Level 1 – the lowest level; basic security requirements are specified
  • Level 2 – includes requirements for tamper evidence, user authentication
  • Level 3 – includes requirements for tamper detection/resistance, data zeroisation, splitting user roles
  • Level 4 – the highest level; penetration of the module has a very high probability of being detected, has requirements on environmental protection

For use with OpenDNSSEC, a HSM that has at least a FIPS 140-2 level 2 certification is recommended. Note that operating a HSM in FIPS 140-2 level 3 or higher mode may impose restrictions on on-board key generation through the PKCS #11 API that may be incompatible with OpenDNSSEC.


The Common Criteria are an internationally recognised set of standards for evaluating security hardware and software. It is a highly regulated process with the following characteristics:

  • The product or system under evaluation is referred to as the "Target “Target of Evaluation" Evaluation” or TOE for short
  • The TOE is evaluated against a Protection Profile (PP); a profile defined by a user or user community, examples of which include the Secure Signature Creation Device (SSCD) which is one of the bases of the European Digital Signature Directive
  • The evaluation is performed on the basis of a so-called "Security Target" “Security Target” (ST) which is a detailed document describing the security functions of the TOE and refers to the PP

When a product has been evaluated the depth of and confidence in the evaluation is expressed as an Evaluation Assurance Level (EAL) ranging from 1 to 7 where 1 is the lowest and 7 the highest qualification.


The key material used by OpenDNSSEC and stored in a HSM is extremely valuable as it guarantees the continued signed presence of a domain in the Domain Name System. It is therefore important to check the backup mechanisms supported by your HSMs.unmigrated-wiki-markup

Unfortunately, there are no specific standards for backing up key material in HSMs at the moment. Most manufacturers, however, will provide a \ [vendor specific\] way for backing up key material. When evaluating a HSM product, attention should be paid to the security, ease of use and above all robustness of the backup method(s) provided by the HSM manufacturer.

Wiki MarkupA good example of a backup strategy is a HSM which maintains a key database (on disk) that is secured using (a) \ [set of\] master key(s). These can be stored on smart cards that can be distributed among multiple security officers. An N out of M model can then be used to restore the master key(s) in a new HSM if a backup needs to be restored where at least N out of M security officers need to present their card to restore the master key(s). The new HSM can then access the key database stored on disk which could have been backed up using readily available backup tools.

Matching HSM types to typical usage scenarios