how it works
Hardware Security Module
Like any application which uses private keys, there is always the issue on how to securely store sensitive private key material. The CipherMail gateway stores all settings, including keys and certificates, in a database.
To make sure that private keys can never be copied, even with full physical access, a Hardware Security Module (HSM) can be used.
An HSM is basically a big smart card. It generates private keys directly on the device and stores the private keys on tamperproof hardware. An HSM also provides additional security functionality like for example a built-in secure random generator.
For FIPS 140 level 2 and up, an HSM is required because FIPS 140-2 requires physical security mechanisms.
HSMs from the following vendors are supported:
- Thales (formerly Safenet)
S/MIME and PGP support
S/MIME private keys and PGP secret keys can be HSM protected.
The DKIM module can use the HSM for secure DKIM signing.