Hardware Security Module (HSM)

A hardware security module (HSM) is a dedicated crypto processor that is specifically designed for the protection of the crypto key lifecycle.

Hardware security modules act as trust anchors that protect the cryptographic infrastructure of some of the most security-conscious organizations in the world by securely managing, processing, and storing cryptographic keys inside a hardened, tamper-resistant device.


Enterprises buy hardware security modules to protect transactions, identities, and applications, as HSMs excel at securing cryptographic keys and provisioning encryption, decryption, authentication, and digital signing services for a wide range of applications.

Thales Hardware Security Modules provide the highest level of security by always storing cryptographic keys in hardware. Thales HSMs provide a secure crypto foundation as the keys never leave the intrusion-resistant, tamper-evident, FIPS-validated appliance. Since all cryptographic operations occur within the HSM, strong access controls prevent unauthorized users from accessing sensitive cryptographic material. Additionally, Thales also implements operations that make the deployment of secure HSMs as easy as possible, and our HSMs are integrated with Thales Crypto Command Center for quick and easy crypto resource partitioning, reporting and monitoring.

Thales HSMs adhere to rigorous design requirements and must pass through stringent product verification testing, followed by real-world application testing to verify the security and integrity of every device.

Thales HSMs are cloud agnostic, and are the HSM of choice for Microsoft, AWS and IBM, providing a “rentable” hardware security module (HSM) service that dedicates a single-tenant appliance located in the cloud for customer cryptographic storage and processing needs.

A broad range of innovative technology partners utilize Thales Hardware Security Modules as roots of trust, relied upon to secure sensitive data, transactions, applications, and more around the world.


With Thales Hardware Security Modules, You Can:

  • Address compliance requirements with solutions for Blockchain, GDPR, IoT, paper-to-digital initiatives, PCI DSS, digital signatures, DNSSEC, hardware key storage, transactional acceleration, certificate signing, code or document signing, bulk key generation, data encryption, and more.
  • Keys are generated, and always stored in the intrusion-resistant, tamper-evident, FIPS-validated appliance, providing the strongest levels of access controls.
  • Create partitions with a dedicated Security Office per partition, and segment through admin key separation.


Thales Luna General Purpose HSMs:

Available in a wide range of form factors and performance options, Thales Luna General Purpose HSMs safeguard the cryptographic keys used to secure transactions, applications, and sensitive data. Thales Luna HSM product family represents the highest-performing, most secure, and easiest-to-integrate HSM solution available on the market today. Luna HSMs are purposefully designed to provide a balance of security, high performance, and usability that makes them an ideal choice for enterprise, financial, and government organizations.

Luna HSM Features & Benefits:

  • Defense in Depth: Keys in Hardware
    • Cryptography is only as strong as the security afforded to your cryptographic keys. Luna HSMs are designed with the highest key security in mind.
    • With our unique keys-in-hardware approach, cryptographic keys are securely isolated inside the tamper-resistant hardware of the HSM. Applications communicate with the keys stored in the Luna HSM via a client – but keys never leave the HSM.
  • Flexibility for the Next Generation of PKI
    • With an unparalleled combination of features—including central key and policy management, robust encryption support, flexible integration, and more – Luna Hardware Security Modules enable organizations to guard against evolving threats and capitalize on the emerging opportunities presented in technological advances.
  • FIPS 140-2, Common Criteria and eIDAS Validation
    • Achieving FIPS and Common Criteria certification can be a lengthy process for each product certified. As Thales sole focus is security, they make third-party certifications a priority.
    • Thales has years of experience in designing products that adhere to FIPS 140-2 and Common Criteria. Luna HSMs are certified to FIPS 140-2 (Level 2 and 3) and Common Criteria EAL 4+.
  • Secure Remote Management and Activation
    • Today, organizations depend on IT infrastructure that is spread across the globe. Activating, managing and administering HSMs across many decentralized data centers could be a time consuming and costly process.
    • With Thales’s two-factor authenticated Remote PIN Entry Device (PED), Luna HSMs can be securely managed and administered remotely. Luna HSMs also benefit from secure transport mode, a feature which allows HSMs to be placed in a locked state to ensure key material is secure and untampered as it travels to a data center or remote office.
  • HSM Provisioning and HSM-as-a-Service Capability
    • Crypto Command Center is an innovative provisioning tool that enables organizations to establish their own internal HSM-as-a-Service offering.
    • Crypto Command Center allows a centralized IT team to establish a pool of pre-configured HSM resources, and provide those resources to the teams that need them via an on-demand catalog of resources. Crypto Command Center represents a dramatic reduction in the time required to stand-up and manage Luna Network HSM resources.