The integration of Cosmian KMS and u.trust GP HSM is performed via a PKCS#11 interface. Multiple instances of KMS servers may be connected via this interface to the same CryptoServer.
The integration offers the possibility to:
-
Create operating keys in the KMS wrapped (encrypted) by master keys stored in the HSM. At rest, master keys in the HSM are protected by certified hardware, while the operating keys in the KMS in the KMS database are stored encrypted by the master keys. At runtime, when an encryption or decryption request is processed by the KMS, the KMS will first request the HSM to unwrap the operating key and then perform data operation using the operating key. The latter key is kept in the KMS memory for the subsequent requests.
-
Perform various KMIP operations (see chapter 4) on the HSM, directly via the KMS KMIP interface.