Hardware Security Modules with KeyControl PASM Vault

HSMs can be enabled or disabled for each KeyControl PASM Vault.

Important: HSMs must be enabled in the KeyControl Vault Appliance Management webGUI before they can be used in the KeyControl PASM Vault.

When enabled: 

• A KEK (key encryption key) is created on the HSM for each box. KEKs are non-exportable and never leave the HSM.

• A corresponding DEK (data encryption key) is created by the HSM and wrapped by the KEK.

• Secret values are encrypted and decrypted with this DEK.

• A DEK cache timeout can be specified to cache it for a specific period of time.