HSM Hardening

Secubit’s Hardware Security Modules (HSMs) serve as the root of trust for all custody operations, which makes their protection and integrity paramount. Beyond relying on the built-in tamper-resistant design of modern HSMs, Secubit applies a series of hardening techniques to ensure that no critical operation can be bypassed, misused, or subverted.

Hardening begins with customization: Secubit develops its own firmware extension, called vault, in Rust. By moving key derivation, signing, policy enforcement, PassKey authentication, and Merkle tree management directly inside the HSM, no critical logic ever runs in vulnerable external environments.

This is reinforced by strict PKCS#11 key attributes. All external cryptographic permissions are disabled, and every key object is marked as private, preventing enumeration or misuse by compromised servers. The only entity allowed to operate keys is the Vault itself, running inside the secure boundary.

Secubit further applies the principle of least privilege by restricting external access to the Crypto User role. Servers can interact with Vault through this constrained account, but cannot generate, delete, or alter keys directly. Administrative operations remain confined to formal ceremonies requiring officer approval.

Finally, code signing controls protect the integrity of the Vault itself. Firmware extensions must be signed by a trusted key inside the HSM, with Crypto Officer approving the signing ceremony and Security Officer authorizing the load process. This dual-control model ensures that only verified and audited code is ever deployed.

Together, these measures — secure customization, locked-down key attributes, least-privilege external access, and hardware-enforced code signing — form Secubit’s HSM Hardening strategy. They ensure that the HSM not only protects keys, but also enforces policies and executes all sensitive workflows with maximum assurance, auditability, and resilience against attack.