Skip to main content

HSM Integration Overview

Guide to integrating secure hardware modules with Virifi’s Solution Proposal.

Updated over 8 months ago

1. Introduction

This document provides an overview of how Virifi's Solution Proposal integrates with Hardware Security Modules (HSMs) for secure key management and digital signature operations. The integration ensures that all private keys are generated, stored, and used within tamper-resistant, certified cryptographic modules in line with CBJ regulatory expectations.

Virifi's Solution Proposal is designed to work with a variety of HSMs. The devices referenced herein were used during the Proof-of-Concept (POC) phase.

2. Supported HSM Devices

Virifi's Solution Proposal supports integration with the following certified devices:

  • iShield-HSM (PU-50n)

    • USB-based tamper-proof HSM

    • Supports PKCS#11 and PKCS#15 standards

    • Communicates using OpenSC middleware

  • YubiKey 5 FIPS Series

    • FIPS 140-2 validated hardware authenticator

    • Supports PIV, FIDO2/WebAuthn, OpenPGP protocols

  • SoftHSM (Development Only)

    • Software emulation of PKCS#11 interface

    • Suitable for non-production or CI/CD testing environments

  • Cloud HSMs (Optional)

    • For high-volume, centralized signing operations (e.g., Securosys CloudHSM)

3. Integration Steps

3.1 Device Initialization

  • Install necessary middleware:

    • OpenSC for Swissbit USB HSM (iShield-HSM communication).

    • YubiKey Manager for YubiKey device setup.

  • Configure PKCS#11 libraries on the target OS.

  • Set up PINs and administrative credentials.

3.2 Key Generation

  • Keys can be generated internally on the HSM.

  • Supported algorithms:

    • RSA 2048/3072/4096

    • ML-DSA (FIPS 204 post-quantum signing where supported)

3.3 Software Configuration

  • Integrate PKCS#11 libraries with SDKs and backend services.

  • Configure application-level policies to enforce HSM use for all cryptographic operations.

4. Key Management and Signing Operations

4.1 Key Storage

  • Private keys never leave the HSM.

  • All signing operations are executed internally within the device.

4.2 Signing Operations

  • Signatures can be generated for documents, payloads, or transaction hashes.

  • Operations supported across:

    • XAdES (XML)

    • PAdES (PDF)

    • CAdES (CMS)

    • JAdES (JSON)

4.3 Advanced Features

  • Biometric unlock (available with Android/iOS mobile SDKs).

  • Smartcard-based user authentication (YubiKey PIV applet).

  • Secure key wrapping and remote signing via PKCS#11 sessions.

5. Security Practices

  • Tamper-Resistant Storage: Hardware-backed protection against physical and logical attacks.

  • FIPS 140-2/3 Compliance: Devices used meet mandatory cryptographic certification levels.

  • Mutual TLS (mTLS) Authentication: Certificate-based client authentication during remote API access.

  • Audit Logging: All cryptographic operations involving HSMs are logged for regulatory compliance.

  • Role-Based Access Control: Administrative and user roles strictly separated.

6. Summary

Virifi's Solution Proposal ensures that all critical cryptographic material is securely generated, stored, and utilized via certified HSMs. It is designed to work flexibly with different hardware security modules while maintaining the highest levels of security, auditability, and compliance within CBJ’s digital signature and financial transaction ecosystems.

Related Articles
Compliance Standards Overview
Recommended Hardware & OS Specs
Performance and Scalability Benchmarks
CBJ PKI Trust Service and Certificate Policies
Product Fact Sheets & Getting Started Guides
Did this answer your question?