# Virtual HSM

{% hint style="info" %}
This documentation is a work in progress and subject to updates and revisions. Keep an eye out for version changes and new additions to ensure you have the latest information.
{% endhint %}

## Introduction

Hardware Security Modules (HSMs) have emerged as indispensable components in safeguarding sensitive data and cryptographic operations. These dedicated hardware devices provide a highly secure environment for generating, storing, and managing cryptographic keys. As the digital landscape becomes increasingly complex and vulnerable to cyber threats, the need for robust HSM solutions has grown exponentially.

While HSMs offer numerous advantages, including physical security, access controls, and performance enhancements, they also present unique challenges, particularly in the context of cloud computing. One of the primary limitations of HSMs is their reliance on physical hardware, which can make it difficult to migrate them to cloud environments.

Unlike software-based security solutions that can be easily moved to the cloud, HSMs require specialized hardware that is typically deployed on-premises. This makes it challenging to achieve the same level of flexibility, scalability, and cost-effectiveness that cloud-based solutions often offer.

Moreover, migrating HSMs to the cloud can involve significant technical and logistical challenges. Organizations may need to establish secure connections between their on-premises HSMs and cloud-based systems, ensuring that sensitive data is protected during transit. Additionally, there may be regulatory and compliance considerations to address, as well as potential security risks associated with cloud-based HSM deployments.

## enclaive Virtual HSM

A virtual HSM (vHSM) combines the robust security of hardware-based solutions with the flexibility of confidential virtualization. Virtualization enables seamless integration and migration within complex cloud environments, ensuring scalability, elasticity, high performance, and availability. At the same time, the vHSM employs advanced encryption mechanisms, including 3D encryption, to enhance security, ensuring that neither the cloud provider nor any unauthorized entity can access sensitive keys. Essentially, the security architecture of a vHSM mirrors that of a traditional HSM, with the key distinction being that physical hardware security is replaced by encryption and confidential virtualization technologies.

Technically, the vHSM runs enclaive [Vault](https://app.gitbook.com/o/u3yTMU8vRj5QnT6MPkEF/s/ZAOyClhisJhRvjIxLjXP/) and [Nitride](https://app.gitbook.com/o/u3yTMU8vRj5QnT6MPkEF/s/B6wCdvkxdUdtHHcfqQVl/) in [Buckypaper](https://app.gitbook.com/o/u3yTMU8vRj5QnT6MPkEF/s/JCiJp92CK5rDzO9DECIa/) Virtual Machines.

<figure><img src="https://1567785389-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGWxadkt9sLLUyKVhuNB7%2Fuploads%2FuRx1Tht2thwDtwvo8XXd%2F1.3.%20%20%20vHSM.png?alt=media&#x26;token=ab1c9e64-5818-422f-b380-8106f879bc6f" alt=""><figcaption></figcaption></figure>

### Features

<table data-view="cards"><thead><tr><th></th></tr></thead><tbody><tr><td>Elastic Secret Provisioning</td></tr><tr><td>Identity Management</td></tr><tr><td>Credential-based Access Control</td></tr><tr><td>Multi-cloud support, incl. AWS, Azure and GCP</td></tr><tr><td>3D encrypted: in-use, at-rest, in transit</td></tr><tr><td>High available RAFT cluster</td></tr><tr><td>NIST FIPS 203, FIPS 204 and FIPS 205 Post-Quantum Cryptography support</td></tr><tr><td>#PKCS11 HSM integration for secret unsealing and randomness provisioning</td></tr><tr><td>Supports compliance with standards like GDPR, C5, ISO 27001, and NIST 800-53</td></tr></tbody></table>

## Getting started

{% content-ref url="documentation" %}
[documentation](https://docs.enclaive.cloud/virtual-hsm/documentation)
{% endcontent-ref %}

{% content-ref url="tutorials" %}
[tutorials](https://docs.enclaive.cloud/virtual-hsm/tutorials)
{% endcontent-ref %}

## Learn more

<table data-view="cards"><thead><tr><th data-type="content-ref"></th><th></th><th data-hidden data-card-target data-type="content-ref"></th></tr></thead><tbody><tr><td><a href="https://app.gitbook.com/o/u3yTMU8vRj5QnT6MPkEF/s/mzjpiPnGVwTaHdGYte2r/">Enclaive Multi Cloud Platform</a></td><td>Confidential Multi Cloud Platform</td><td></td></tr><tr><td><a href="https://app.gitbook.com/o/u3yTMU8vRj5QnT6MPkEF/s/GWxadkt9sLLUyKVhuNB7/">Virtual HSM</a></td><td>Hardware graded key, identity and workload management</td><td></td></tr><tr><td><a href="https://app.gitbook.com/o/u3yTMU8vRj5QnT6MPkEF/s/ZAOyClhisJhRvjIxLjXP/">Vault</a></td><td>Key, identity and access management</td><td></td></tr><tr><td><a href="https://app.gitbook.com/o/u3yTMU8vRj5QnT6MPkEF/s/B6wCdvkxdUdtHHcfqQVl/">Nitride</a></td><td>Workload identity and access management</td><td></td></tr><tr><td><a href="https://app.gitbook.com/o/u3yTMU8vRj5QnT6MPkEF/s/JCiJp92CK5rDzO9DECIa/">Buckypaper</a></td><td>Confidential Virtualization</td><td></td></tr><tr><td><a href="https://app.gitbook.com/o/u3yTMU8vRj5QnT6MPkEF/s/2TGGyMVhS5NRcNQJhHpN/">Dyneemes</a></td><td>Confidential Kubernetes</td><td></td></tr></tbody></table>