What is the HSM connection?

The HSM connection ensures that the server keys can be outsourced to the HSM. This ultimately leads to an increased protection because the keys are not directly in the server’s access. The connection is effected via PKCS # 11.


In order to be able to connect an HSM, the following conditions have to be met:

  • An executable HSM has to be available.
  • The PKCS # 11 drivers have to be installed on the application server.
  • The Enterprise Plus Edition has to be licensed.
  • The device is set up via the Administrator database on the AdminClient

Hardware tested by MATESO GmbH

Basically every HSM should work with PKCS # 11 interface. However, if you use an HSM that does not belong to the following products that we have tested, it is recommended that you try it in advance in a test or POC.

  • SafeNet Luna SA – HSM with network connection
  • SafeNet Luna PCI-E – Embedded HSM


The installation is set up on the AdminClient via the database settings

  • Library path: Here you can find the installed PKCS # 11 driver of the HSM.
  • Token-Serial: The serial number of the token is given here.
  • Token Label: The name of the token.
  • PIN: Finally, the PIN is specified for authentication at the token.

Use by Password Safe

As soon as the HSM is connected, all server keys are transferred to the HSM. This is definitely the database certificate. If the AD has been connected in Masterkey mode, the masterkey will also be transferred to the HSM. Then the certificates are no longer stored in the certificate store of the application server, but centrally managed by the HSM. All other keys are not stored on the HSM, but derived from the masterkeys. Therefore, Password Safe rarely accesses the HSM, for example, at server startup or at the AD Sync. As a result, the load on the HSM can be kept low.

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.