Hardware Security Modules with Cryptographic Security Platform Vault for Secrets

HSMs can be enabled or disabled for each Cryptographic Security Platform Vault for Secrets.

Important: HSMs must be enabled in the Cryptographic Security Platform Vault Management webGUI before they can be used in the Cryptographic Security Platform Vault for Secrets.

When enabled: 

• A KEK (key encryption key) is created on the HSM for each box. KEKs are non-exportable and never leave the HSM.

• A corresponding DEK (data encryption key) is created by the HSM and wrapped by the KEK.

• Secret values are encrypted and decrypted with this DEK.

• A DEK cache timeout can be specified to cache it for a specific period of time.