Restrict External Access to Crypto User

As explained in HSM Roles, the HSM enforces role segregation, where each role has different privileges aligned with its responsibilities. By default, access to call the cryptographic API in a PKCS#11-compliant HSM is tied to the Crypto Officer role (sometimes called Normal User). However, Crypto Officers have broader capabilities, such as generating new keys, creating objects, or removing existing ones, in addition to performing cryptographic operations.

In Secubit’s architecture, the principle of least privilege is strictly applied. The Secubit server never needs to generate or destroy raw cryptographic objects; it only needs to interact with the Vault API to manage wallets, enforce policies, and sign transactions. For this reason, Secubit restricts external access to the Crypto User role instead of the higher-privilege Crypto Officer.

This means that the Secubit server can establish a session and request operations through the Vault, but it cannot create, delete, or alter cryptographic keys at the PKCS#11 layer. The only entity with the authority to use keys is the Vault code running inside the HSM, which enforces policies and validates approvals. Even if the server is compromised, the attacker would not gain the ability to manipulate keys or bypass Vault rules, since Crypto User access does not provide such privileges.

By limiting external access to the Crypto User role, Secubit ensures that administrative and destructive operations remain strictly under the control of HSM officers during formal ceremonies, while day-to-day server interactions are constrained to the minimal rights required. This design significantly reduces the attack surface while preserving operational functionality.