Hardware Security Modules with KeyControl Vault for Secrets

HSMs can be enabled or disabled for each KeyControl Vault for Secrets.

Important: HSMs must be enabled in the KeyControl Vault Management webGUI before they can be used in the KeyControl Vault for Secrets.

When enabled: 

• A KEK (key encryption key) is created on the HSM for each box. KEKs are non-exportable and never leave the HSM.

• A corresponding DEK (data encryption key) is created by the HSM and wrapped by the KEK.

• Secret values are encrypted and decrypted with this DEK.

• A DEK cache timeout can be specified to cache it for a specific period of time.