Secure Keys with a Hardware Security Module
Focus
Focus
Next-Generation Firewall

Secure Keys with a Hardware Security Module

Table of Contents

Secure Keys with a Hardware Security Module

You can use hardware security modules to store and generate digital keys and encrypt master keys.
A hardware security module (HSM) is a physical device that manages digital keys. An HSM provides secure storage and generation of digital keys. They provide both logical and physical protection of these materials from unauthorized use and potential adversaries. This protection is why HSMs are used by organizations that need to meet Payment Card Industry Data Security Standard (PCI DSS) requirements or other compliance requirements.
HSM clients integrated with Palo Alto Networks firewalls and Panorama provide enhanced security for the private keys used in SSL/TLS decryption (both SSL Forward Proxy and SSL Inbound Inspection). HSMs also support encrypting master keys stored on an HSM. This provides additional protection.Using an HSM to encrypt master keys ensures that all keys that depend on the master key are protected
The following HSM vendors integrate with Palo Alto Networks firewalls:
  • SafeNet Network
  • Thales CipherTrust Manager
  • Entrust nShield
To secure keys with an HSM, you need to set up connectivity between your NGFW and the HSM server, register the NGFW as an HSM client with the HSM server, configure the NGFW to use the HSM to encrypt master keys and store private keys, and any additional steps specific to the HSM product.