[dns-operations] OpenHardware FPGA-based HSM SCA6000 with OpenSSL?

Phil Regnauld regnauld at nsrc.org
Mon Oct 15 14:55:18 UTC 2012

Alexander Gall (gall) writes:
> > But why would a hardware implementation be better than, for instance, SoftHSM?
> A hardware HSM allows you to detect when your keys get stolen
> (provided the hardware does not implement extraction of the keys, of
> course).  In our case, this is the *only* reason we use a HSM at all.

	Does HSM imply tamper-proof ? If so, then yes, otherwise, you could very
	well embed a small Atom device running SoftHSM with a smart card reader
	for key import/export, drown the entire thing in epoxy, package the thing
	in a tamper proof cabinet, and you've got an HSM.

	I think the main idea with doing it with an FPGA is: speed, power
	consumption, reduced size. That makes it easier to audit, easier to
	protect. But arguably this could all be done with a Raspberry Pi as
	well, if you're not in a hurry.


More information about the dns-operations mailing list