Secure Keys with a Hardware Security Module
You can use hardware security modules to store and generate digital keys and encrypt
master keys.
A hardware security module (HSM) is a physical device that manages digital keys. An HSM
provides secure storage and generation of digital keys. They provide both logical and
physical protection of these materials from unauthorized use and potential adversaries.
This protection is why HSMs are used by organizations that need to meet Payment Card
Industry Data Security Standard (PCI DSS) requirements or other compliance
requirements.
HSM clients integrated with Palo Alto Networks firewalls and Panorama provide enhanced
security for the private keys used in SSL/TLS decryption (both SSL Forward Proxy and SSL
Inbound Inspection). HSMs also support
encrypting master keys stored on an
HSM. This provides additional protection.Using an HSM to encrypt master keys ensures that all keys that
depend on the master key are protected
The following HSM vendors integrate with Palo Alto Networks firewalls:
To secure keys with an HSM, you need to
set up connectivity between your NGFW
and the HSM server, register the NGFW as an HSM client with the HSM server, configure
the NGFW to use the HSM to encrypt master keys and store private keys, and any
additional steps specific to the HSM product.