What is the HSM connection?

The HSM connection ensures that the certificates can be outsourced to the HSM. This ultimately leads to an increased protection because the certificates are not directly in the server’s access. The connection is effected via PKCS # 11.


In order to be able to connect an HSM, the following conditions have to be met:

  • An executable HSM has to be available.
  • The PKCS # 11 drivers have to be installed on the application server.
  • The Enterprise Plus Edition has to be licensed.
  • The device is set up via the Administrator database on the AdminClient.

Hardware compatibility

In principle, any HSM should work with the PKCS#11 interface. However, it is recommended to try this out in a test position or a PoC beforehand.


The installation is set up on the AdminClient via the database settings.

  • Library path: Here you can find the installed PKCS # 11 driver of the HSM.
  • Token-Serial: The serial number of the token is given here.
  • Token Label: The name of the token.
  • PIN: Finally, the PIN is specified for authentication at the token.

Use by Password Safe

As soon as the HSM is connected, all server keys are transferred to the HSM. This is the database certificate. If the AD has been connected in Masterkey mode, the masterkey will also be transferred to the HSM. Then the certificates are no longer stored in the certificate store of the application server, but centrally managed by the HSM. All other keys are not stored on the HSM, but derived from the masterkeys. Therefore, Password Safe rarely accesses the HSM, for example, at server startup or at the AD Sync. As a result, the load on the HSM can be kept low.

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.