Amazon announced their new CloudHSM service yesterday. This reminded me that I’ve been meaning to write something up about what an HSM is and what’s required for certification.

First off, HSM stands for Hardware Security Module. It’s just a separate device that stores keys and performs cryptographic functions outside of the system(s) it’s connected to. This separation is done in the belief that it’s harder to steal the private keys from the HSM than the general purpose computer(s) it is servicing. The required features are spelled out by FIPS publication 140-2 (FIPS 140-2 PDF specification).

The gist of it is that there are 4 levels of certification, 1 being the lowest (requiring just that an approved cryptographic algorithm or other security function be supported and be built with ‘production grade’ components.) and 4 highest (tamper evident, physical security mechanisms and/or countermeasures like wiping of secrets if the physical enviromnent is out of normal operating ranges).

Well, that doesn’t sound so hard, does it? Let’s take:

• 1 Raspberry pi
• 1 Thermally Conductive Epoxy Potting Compound
• Optoisolators perhaps something like this
• using the SPI on on the pi’s GPIO
• and a DS1820 thermometer on the 1wire.

The software is minimal, sample software is all over the place. (SoftHSM perhaps?)

DIY HSM for ~$60. Instead of the $5000 upfront + $1373/month the CloudHSM runs. It won’t have the lab validation, but may give you some peace of mind if you’re a paranoid on a budget…