OpenSkillIndex← back to search
claude-code

Asi configuring-hsm-for-key-storage

Hardware Security Modules (HSMs) are tamper-resistant physical devices that safeguard cryptographic keys and perform cryptographic operations in a hardened environment. Keys stored in an HSM never lea

install
source · Clone the upstream repo
git clone https://github.com/plurigrid/asi
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/plurigrid/asi "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/asi/skills/configuring-hsm-for-key-storage" ~/.claude/skills/plurigrid-asi-configuring-hsm-for-key-storage && rm -rf "$T"
manifest: plugins/asi/skills/configuring-hsm-for-key-storage/SKILL.md
tags
#cryptography#hsm#key-management#pkcs11#hardware-security
source content

Configuring HSM for Key Storage

Overview

Hardware Security Modules (HSMs) are tamper-resistant physical devices that safeguard cryptographic keys and perform cryptographic operations in a hardened environment. Keys stored in an HSM never leave the device boundary, providing the highest level of key protection. This skill covers configuring HSMs using the PKCS#11 standard interface, including key generation, signing, encryption, and key management using both physical HSMs and SoftHSM2 for development.

When to Use

  • When deploying or configuring configuring hsm for key storage capabilities in your environment
  • When establishing security controls aligned to compliance requirements
  • When building or improving security architecture for this domain
  • When conducting security assessments that require this implementation

Prerequisites

  • Familiarity with cryptography concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities

Objectives

  • Configure SoftHSM2 as a development PKCS#11 provider
  • Generate and manage keys inside the HSM via PKCS#11
  • Perform cryptographic operations (sign, verify, encrypt, decrypt) using HSM-resident keys
  • Implement HSM-backed certificate authority operations
  • Configure key access policies and user authentication
  • Interface with cloud HSM services (AWS CloudHSM, Azure)

Key Concepts

HSM Compliance Levels

FIPS LevelProtectionUse Case
FIPS 140-2 Level 1Software onlyDevelopment
FIPS 140-2 Level 2Tamper-evident, role-based authGeneral production
FIPS 140-2 Level 3Tamper-resistant, identity-based authFinancial, government
FIPS 140-2 Level 4Physical tamper responseMilitary, classified

PKCS#11 Architecture

Application --> PKCS#11 API --> HSM Provider --> Hardware HSM
                                    |
                              (SoftHSM2 for dev)

Key Objects in PKCS#11

Object TypeDescriptionOperations
CKO_SECRET_KEYSymmetric keys (AES)Encrypt, Decrypt, Wrap
CKO_PUBLIC_KEYPublic keys (RSA, EC)Verify, Encrypt, Wrap
CKO_PRIVATE_KEYPrivate keys (RSA, EC)Sign, Decrypt, Unwrap
CKO_CERTIFICATEX.509 certificatesStorage, retrieval

Security Considerations

  • Never export private keys from HSM (use CKA_EXTRACTABLE=False)
  • Use separate slots/partitions for different applications
  • Implement multi-person key ceremony for CA root keys
  • Enable audit logging for all HSM operations
  • Implement HSM backup and disaster recovery
  • Use strong PINs and enable SO (Security Officer) PIN

Validation Criteria

  • SoftHSM2 initializes with token and user PIN
  • AES key generates inside HSM
  • RSA key pair generates inside HSM
  • Encryption/decryption uses HSM-resident keys
  • Signing/verification uses HSM-resident keys
  • Keys cannot be exported (non-extractable)
  • Key listing shows all HSM-stored objects