Skip to main content
AI/MLplurigrid

configuring-hsm-for-key-storage

Hardware Security Modules (HSMs) are tamper-resistant physical devices that safeguard cryptographic keys and perform cryptographic operations in a hardened environment. Keys stored in an HSM never lea

Stars
23
Source
plurigrid/asi
Updated
2026-04-26
Slug
plurigrid--asi--configuring-hsm-for-key-storage
View on GitHubRaw SKILL.md

// install — copy + paste into any project

mkdir -p .claude/skills && curl -fsSL https://raw.githubusercontent.com/plurigrid/asi/HEAD/plugins/asi/skills/configuring-hsm-for-key-storage/SKILL.md -o .claude/skills/configuring-hsm-for-key-storage.md

Drops the SKILL.md into .claude/skills/configuring-hsm-for-key-storage.md. Works with Claude Code, Cursor, and any agent that loads SKILL.md files from .claude/skills/.

Configuring HSM for Key Storage

Overview

Hardware Security Modules (HSMs) are tamper-resistant physical devices that safeguard cryptographic keys and perform cryptographic operations in a hardened environment. Keys stored in an HSM never leave the device boundary, providing the highest level of key protection. This skill covers configuring HSMs using the PKCS#11 standard interface, including key generation, signing, encryption, and key management using both physical HSMs and SoftHSM2 for development.

When to Use

  • When deploying or configuring configuring hsm for key storage capabilities in your environment
  • When establishing security controls aligned to compliance requirements
  • When building or improving security architecture for this domain
  • When conducting security assessments that require this implementation

Prerequisites

  • Familiarity with cryptography concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities

Objectives

  • Configure SoftHSM2 as a development PKCS#11 provider
  • Generate and manage keys inside the HSM via PKCS#11
  • Perform cryptographic operations (sign, verify, encrypt, decrypt) using HSM-resident keys
  • Implement HSM-backed certificate authority operations
  • Configure key access policies and user authentication
  • Interface with cloud HSM services (AWS CloudHSM, Azure)

Key Concepts

HSM Compliance Levels

FIPS Level Protection Use Case
FIPS 140-2 Level 1 Software only Development
FIPS 140-2 Level 2 Tamper-evident, role-based auth General production
FIPS 140-2 Level 3 Tamper-resistant, identity-based auth Financial, government
FIPS 140-2 Level 4 Physical tamper response Military, classified

PKCS#11 Architecture

Application --> PKCS#11 API --> HSM Provider --> Hardware HSM
                                    |
                              (SoftHSM2 for dev)

Key Objects in PKCS#11

Object Type Description Operations
CKO_SECRET_KEY Symmetric keys (AES) Encrypt, Decrypt, Wrap
CKO_PUBLIC_KEY Public keys (RSA, EC) Verify, Encrypt, Wrap
CKO_PRIVATE_KEY Private keys (RSA, EC) Sign, Decrypt, Unwrap
CKO_CERTIFICATE X.509 certificates Storage, retrieval

Security Considerations

  • Never export private keys from HSM (use CKA_EXTRACTABLE=False)
  • Use separate slots/partitions for different applications
  • Implement multi-person key ceremony for CA root keys
  • Enable audit logging for all HSM operations
  • Implement HSM backup and disaster recovery
  • Use strong PINs and enable SO (Security Officer) PIN

Validation Criteria

  • SoftHSM2 initializes with token and user PIN
  • AES key generates inside HSM
  • RSA key pair generates inside HSM
  • Encryption/decryption uses HSM-resident keys
  • Signing/verification uses HSM-resident keys
  • Keys cannot be exported (non-extractable)
  • Key listing shows all HSM-stored objects