Futurex General Purpose HSM
Establish a common hardware root of trust for PKI, signing, encryption, device identity, enterprise key management, and digital asset workloads.
At a Glance
The Excrypt HSM provides a single hardware root of trust for PKI, code signing, encryption, and device identity. Available as a 1U rack appliance, PCIe card, or cloud instance through VirtuCrypt, it supports administration through a web interface, APIs, and CLI tools, while CryptoHub delivers centralized orchestration and management across deployments.
Up to 40,000 RSA-2048 signatures per second on a single Excrypt HSM
Native support for ML-KEM (FIPS 203) and ML-DSA (FIPS 204) for Post-Quantum Cryptography (PQC)
Isolated virtual HSM instances for departments, applications, and tenants
24/7 support from globally distributed Technical Account Managers and Support Engineers
A hardware root of trust for enterprise cryptography
A general-purpose hardware security module (HSM) protects cryptographic keys and performs cryptographic operations for enterprise workloads outside payment processing. Futurex delivers this capability through the Excrypt HSM platform.
General-purpose HSM and payment HSM functionality run on the same converged Excrypt HSM platform. The difference lies in the workload configuration, command sets, and integrations exposed to applications using the HSM.
This gives enterprise cryptography and infrastructure teams a common hardware foundation for PKI, code signing, application encryption, database encryption, IoT identity, 5G authentication, blockchain wallets, and digital asset custody, without forcing every workload onto a separate appliance family.

Replace project-by-project cryptography with a platform strategy
Enterprise cryptography often grows one project at a time. PKI uses one platform. Code signing introduces another. Application encryption, database encryption, IoT identity, and digital asset custody each bring separate tooling, procedures, patching schedules, and audit evidence.
Excrypt allows these workloads to share a validated hardware root of trust while remaining isolated by department, application, tenant, or region. Teams gain a consistent management model, API surface, support relationship, and approach to key protection across the cryptographic services the business depends on.
Core Enterprise Workloads
| Workload | Protected operations and keys |
| PKI and certificate authority protection | Protect root and intermediate CA private keys and perform signing operations for certificate issuance. Key material remains inside the hardware boundary throughout the certificate lifecycle. |
| Code, firmware, container, document, and transaction signing | Isolate signing keys from build systems, developer workstations, and general-purpose application environments. Signing operations occur inside the HSM. |
| Application and database encryption | Generate, wrap, rotate, and use encryption keys for field-level, column-level, or database transparent data encryption (TDE). HSM-managed keys remain outside application code and software key stores. |
| Enterprise key management | Centralize key generation, storage, rotation, and lifecycle management across applications, databases, and infrastructure components. |
| IoT identity and 5G authentication | Provision, validate, and protect device identity credentials and 5G subscriber authentication keys at scale. |
| Digital asset custody | Generate and protect blockchain wallet and custody signing keys inside the HSM, so transaction authorization depends on a validated hardware boundary. |
Keep private keys out of general-purpose systems
Every general-purpose workload on the platform uses a hardware root of trust backed by FIPS 140-3 Level 3 validated HSMs.
Private keys are generated and protected inside tamper-resistant hardware
Key material is never exposed in plaintext outside the module
FIPS 140-3 Level 3 validation provides independently assessed assurance
Virtual HSMs and application partitions isolate departments, applications, and tenants
Privileged actions are policy-controlled and logged for audit
Operate shared HSM capacity without sharing trust boundaries
A single physical Excrypt HSM can support up to 75 isolated virtual HSMs, and each virtual HSM can support up to 250 application partitions. Workloads can be separated by department, application, tenant, or region while using a common hardware foundation.
Administrators can use a web-based management interface, API automation, and CLI workflows for provisioning, policy management, monitoring, and reporting. For larger estates, CryptoHub provides centralized orchestration, reporting, discovery, backup, and monitoring across physical, virtual, and cloud-hosted HSMs.
Build crypto-agility into long-lived trust services
PKI roots, code signing keys, encrypted archives, and regulated records can remain security-relevant for many years. Excrypt HSM supports ML-KEM and ML-DSA alongside classical algorithms such as RSA, ECC, and AES. Organizations can begin hybrid classical and post-quantum planning without waiting for a hardware refresh.
Connect the HSM to the broader cryptographic lifecycle
Futurex's Excrypt HSM integrates into the CryptoHub ecosystem for centralized key management, PKI and certificate authority services, data protection, reporting, discovery, remote key loading, and orchestration. The HSM protects the keys and performs the cryptographic operations. CryptoHub manages the surrounding lifecycle and operating workflows.
Deployment and architecture
- One or more Excrypt HSM appliances, PCIe cards, or VirtuCrypt cloud HSM instances
- Virtual HSMs or application partitions separating workloads by department, application, tenant, or region
- Integration with PKI and certificate authority software
- Integration with code signing, document signing, application encryption, and database encryption workflows
- API and CLI automation for provisioning, monitoring, and policy enforcement
- Centralized orchestration, monitoring, reporting, and discovery through CryptoHub and HubIQ
- CryptoHub services for key management, PKI and CA, and data protection
- VirtuCrypt hosting for cloud deployment, backup capacity, or disaster recovery
Compliance support
Futurex general purpose HSMs support enterprise assurance and compliance programs by strengthening hardware-backed key protection, access control, and auditability.
- FIPS 140-3 Level 3 compliant HSMs for hardware-backed key protection
- Hardware-backed root of trust for regulated enterprise workloads
- Centralized key management and audit reporting through the CryptoHub ecosystem
- Workload isolation through virtual HSMs and application partitions
Frequently Asked Questions
What is the difference between a general-purpose HSM and a payment HSM?latform.
A general-purpose HSM is configured for enterprise cryptography workloads such as PKI, code signing, application encryption, database encryption, and device identity. A payment HSM is configured for card and payment transaction workflows such as EMV, PIN, P2PE, card issuance, and tokenization. Both run on the Excrypt HSM platform.
Can one Excrypt HSM support multiple departments or applications?
Yes. A single physical Excrypt HSM can support up to 75 isolated virtual HSMs, and each virtual HSM can support up to 250 application partitions.
Does the platform support post-quantum cryptography today?
Yes. The Excrypt HSM platform supports ML-KEM (FIPS 203) and ML-DSA (FIPS 204) alongside classical algorithms.
What deployment models are available?
The Excrypt HSM supports general-purpose cryptographic workloads and is available as a 1U rack-mounted appliance, PCIe card, or cloud-hosted instance through VirtuCrypt.
How is the HSM managed day to day?
Administrators can use a web-based management interface, API and CLI automation for provisioning, policy management, monitoring, and reporting. CryptoHub adds centralized orchestration, reporting, discovery, and monitoring for larger estates.
How does the general-purpose HSM relate to CryptoHub?
The Excrypt HSM protects cryptographic keys and performs cryptographic operations. CryptoHub manages the surrounding lifecycle with orchestration, key management, PKI, certificate authority services, data protection, reporting, discovery, and remote key loading.
Featured Resources
"Our ability to provide best in class solutions supported by independent auditors’ statements of compliance are crucial for all stakeholders – we were pleased to be able to partner with Futurex to provide industry leading cryptography solutions."
- Jude Heejun Han, Deputy Senior Manager of Software Engineering
Nautilus Hyosung
Consolidate enterprise trust services
Talk to Futurex about protecting PKI, signing, encryption, device identity, key management, and digital asset workloads on the Excrypt HSM platform.