A Hardware Security Module (HSM) is a physical device that can be installed on a network to derive cryptographic keys used to protect sensitive data. You can configure the Utimaco Atalla HSM to store the master secrets used when deriving cryptographic keys requested from the Key Server of the OpenText™ Data Privacy and Protection (DPP) Appliance. These keys are used by, or on behalf of, DPP clients to protect and access sensitive data. Cryptographic keys derived from the master secrets are also used to protect sensitive data in the Management Console.
In addition to the Utimaco Atalla HSM, the Appliance also supports Entrust nShield HSMs, but not both at the same time.
Atalla HSMs use a system image and configuration files designed specifically to work with the Appliance. After installing and configuring the Atalla HSMs, you configure the Appliances in your system to communicate with the HSMs. When communication is established, use the Management Console to create an Atalla HSM district.
Creating an Atalla HSM district initiates requests to create master secrets for cryptographic algorithms, including FPE, FFX, AES, IBE BF and IBE BB1. The request for creating master secrets is sent to the HSM via the Atalla HSM Connector. The Atalla Key Block (AKB) responses, returned by the HSM, contain the secrets encrypted with the Atalla HSM MFK (Master File Key). These secrets are stored in encrypted format in the Appliance.
When requests for keys are sent to the Key Server, it retrieves the encrypted secrets and any required public parameters from the Appliance. The key requests are then sent to the Atalla HSM via the Atalla HSM Connector. The HSM responses are returned to the Atalla HSM Connector, which routes them back to the Key Server from which the request originated.