Hardware Security Module Configuration

A hardware security module (HSM) is a security device that securely generates and stores encryption keys and also performs various cryptography operations including encryption, decryption, hashing and random number generation. The usage of the HSM drastically increases the security of the of the IDMS by separately securely storing the encryption keys and performing encryption and decryption transactions on the HSM device.

Note: If the IDMS is not configured to use the HSM, it will use the software-based encryption keys for cryptographic functions.

Considerations when using the HSM

HSM Key Backup and Availability

It is important to realize that once the IDMS is configured to use the HSM, the HSM key that is used to secure the data (see section, Generating the IDMS secret key) must be managed and backed up in accordance with the HSM vendor’s guidance. Warning: If the HSM key is lost or the HSM is not available, the IDMS data that was secured with this key can no longer be accessed.

IDMS is dependent on the HSM

Once the IDMS is configured to the use the HSM, the HSM must be available for the IDMS to operate. If the HSM is not available or is slow to respond, the IDMS will not be able to perform its necessary security functions and will not operate properly. 

Credentials and Data Migration

If the IDMS was operating previously within the HSM, the credentials and user data will need to be encrypted with the HSM keys. See the section, HSM Data Migration Steps.

Using IDMS without an HSM

The IDMS will only use the HSM once the HSM has been configured (see section, Configure the IDMS Application to connect to HSM). If the HSM is not configured, the IDMS will operate with the software based encryption keys.