HSM & PQC Operations
Deep dive into Hardware Security Modules: PKCS#11 v3.2 PQC mechanisms, vendor comparison, firmware migration, and FIPS 140-3 validation.
A Hardware Security Module (HSM) is a tamper-resistant physical device that performs cryptographic operations and protects keys within a certified security boundary. The defines four security levels:
Basic security requirements. Software-only cryptographic module. No physical security mechanisms.
Tamper-evidence (seals, coatings). Role-based authentication. Minimum OS requirements.
Tamper-resistant. Identity-based authentication. Physical/logical separation of interfaces. Keys zeroed on tamper detection.
Tamper-responsive envelope. Environmental failure protection (voltage, temperature). Complete physical penetration protection.
HSM Integration Architecture
On-Prem vs Cloud HSM
- • Thales Luna 7 (Network HSM, FIPS 140-3 L3)
- • Entrust nShield 5 (Network HSM, FIPS 140-3 L3)
- • Utimaco SecurityServer (PCIe, FIPS 140-3 L3)
Full PQC firmware support available today
- • AWS CloudHSM (ML-DSA preview via SDK)
- • Azure Dedicated HSM (Thales backend, upgrade pending)
- • Google Cloud HSM (PQC on roadmap)
Cloud HSMs currently lack firmware-level PQC support
Ready to explore HSM operations?
Step through PKCS#11 PQC operations, compare vendors, and plan firmware migrations in the interactive workshop.
Related Resources
Products shown here are a representative selection — not an exhaustive list. For the full vendor landscape with PQC readiness status, visit the Tools & Products tab in this module or browse the Migrate catalog →
Check off all sections and mark this reading done.
Learning module content can be inaccurate. Please double-check its information. Report inaccuracies in PQC Today GitHub Discussions.