Skip to main content

What are the key management methods for cloud HSMs?

When VirtuCrypt cloud HSMs are provisioned, securely loading encryption keys is a critical step. There are several methods by which administrators can securely load major keys into VirtuCrypt cloud HSMs. These include Bring Your Own Key (BYOK), key agent services, and HSM-generated keys.

Bring Your Own Keys

Organizations requiring self-management of encryption keys to protect their most sensitive data through the Bring Your Own Key (BYOK) method can confidently manage keys in VirtuCrypt cloud HSMs. The Excrypt Touch is Futurex’s FIPS 140-2 Level 3 and PCI HSM validated tablet that allows organizations to securely manage their own encryption keys from anywhere in the world. With the Excrypt Touch, administrators can securely establish a remote TLS connection with mutual authentication and load clear master keys to VirtuCrypt cloud HSMs.

Transferring keys to VirtuCrypt cloud HSMs with the Excrypt Touch uses double encipherment for key components. Double encipherment adds additional security by requiring the components to be encrypted by two separate keys. Therefore, to decrypt the data to a useful and readable state, the double encipherment process must be reversed, again using the two entirely separate key pairs. The keys used for this purpose are protected further by being ephemeral. Ephemeral keys are temporary, can only be used once, and never leave the devices in the clear. As soon as the ephemeral keys have been used to encrypt or decrypt the data, they are destroyed in temporary memory.

Key Agent Services

For organizations that need key management assistance, Futurex’s key agent team can compliantly load keys into VirtuCrypt cloud HSMs. With this service, VirtuCrypt handles, loads, and stores key components, but the ownership of the keys remains with the customer throughout this process.

This method is the most common one used by organizations in need of key management assistance. When using these services, certain compliance requirements must be fulfilled that relate specifically to the secure shipment of components. As part of the onboarding and key loading process, customers are provided with detailed instructions.

HSM-Generated Keys

Administrators can randomly generate major keys using the random number generator (RNG) inherent to their cloud HSMs. This RNG is a FIPS 140-2 Level 3 validated entropy source.

Securing the world's most sensitive data.
Request Demo ▸