← Lessons

quiz vs the machine

Gold1480

Security

Hardware Security Modules

Dedicated hardware that guards keys and performs crypto without exposing them.

4 min read · core · beat Gold to climb

Keys That Never Leave

A hardware security module is a tamper resistant device that generates and stores cryptographic keys and performs operations with them, so the private key never leaves the boundary. Applications send data to be signed or decrypted and receive only the result.

Why Use One

  • Even a fully compromised host cannot extract the key material.
  • Tamper resistance and physical hardening protect against extraction attempts.
  • Built in access control and logging govern who can use each key.

Trade Offs

  • Operations are bounded by the device's throughput, which can be a bottleneck.
  • They add cost and operational complexity, so reserve them for high value keys.
  • Cloud key management services offer hosted equivalents for many use cases.

Key idea

A hardware security module performs crypto so private keys never leave a tamper resistant boundary, protecting high value keys even on a compromised host.

Check yourself

Answer to earn rating on the learn ladder.

1. What is the defining property of an HSM?

2. What is a realistic trade off of using an HSM?