Protect private keys with a Hardware Security Module

Integrate the CipherMail Email Encryption Gateway with a Hardware Security Module (HSM).

how it works

Hardware Security Module

Like any system that uses private keys, secure storage of sensitive key material is essential. The CipherMail Gateway stores all settings, including keys and certificates, in a database.

To prevent private keys from ever being copied, even with full physical access to the server, you can use a Hardware Security Module (HSM). An HSM is a tamper‑resistant device that generates private keys on the device and keeps them stored in protected hardware. It also provides additional security features such as a built‑in secure random number generator.

For environments requiring FIPS 140 Level 2 or higher, an HSM is necessary because these standards mandate physical security controls.

CipherMail Gateway with HSM
features

HSM support

HSMs from the following vendors are supported:

  • nCipher
  • Thales (formerly Safenet)
  • Utimaco
  • Securosys

S/MIME and PGP support

S/MIME private keys and PGP secret keys can be HSM protected.

DKIM

The DKIM module can use the HSM for secure DKIM signing.

EDI@Energy support

EDI@Energy required algorithms are supported