ProvisioningEOS APIs
Provisioning

HSM

Suggest Edits

HSM

Overview

The Hardware Security Module (HSM) offers an additional layer of security for encrypting data. While AES is preferred for its balance of security and performance, using HSM for encryption is an option within the Vortex Crypto API for scenarios requiring hardware-based security features. The API supports direct encryption with HSM using either a specific version or an alias for the latest implementation.

Using HSM for Encryption

Encrypting with hsmv1

For users who require specific control over the encryption method, hsmv1 allows for encryption directly against a dedicated Hardware Security Module. This method ensures that data encryption processes are executed within a physically secure environment.

Using the hsm Alias

The hsm alias points to the most current version of the HSM encryption algorithm implemented by the API. This ensures that your encryption is always up to date with the latest hardware security standards.

Encrypting Encoded Data with HSM

Similar to AES, when working with non-UTF8 text, specifying the encoding ensures the data is correctly encrypted by the HSM.

Using Your Own Key

For specific encryption needs, the API allows for the use of a custom HSM key. This key must be pre-configured and recognized by the system.

POST /dispatch HTTP/1.1
Host: localhost:9200
Request-ID: MY REQUEST ID
Authorization: Bearer TOKEN
Content-Type: application/json

{
	"dispatch": {
		"operation": "encrypt",
		"method": "hsmv1"
	},
	"payload": "my test data"
}

POST /dispatch HTTP/1.1
Host: localhost:9200
Request-ID: MY REQUEST ID
Authorization: Bearer TOKEN
Content-Type: application/json

{
	"dispatch": {
		"operation": "encrypt",
		"method": "hsm"
	},
	"payload": "my test data"
}

This alias is provided to point to the latest HSM algorithm implemented.

POST /dispatch HTTP/1.1
Host: localhost:9200
Request-ID: MY REQUEST ID
Authorization: Bearer TOKEN
Content-Type: application/json

{
	"dispatch": {
		"operation": "encrypt",
		"method": "hsm",
		"encoding": "base64"
	},
	"payload": "bXkgdGVzdCBkYXRh"
}

When encrypting non-UTF8 text, you can specify the encoding that you have used.

POST /dispatch HTTP/1.1
Host: localhost:9200
Request-ID: MY REQUEST ID
Authorization: Bearer TOKEN
Content-Type: application/json

{
	"dispatch": {
		"operation": "encrypt",
		"method": "hsm",
		"keyAlias": "MY KEY HERE"
	},
	"payload": "my test data"
}

In some instances, you may have a specific HSM key that you wish to be used for your data. You can specify it using the keyAlias parameter. This key must be pre-configured in the CRYPTO_CONFIG table.

Updated over 1 year ago