>
    Strata Copilot
    Secure Keys with a Hardware Security Module
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Certificate Management
    4. Secure Keys with a Hardware Security Module
    Download PDF
    Next-Generation Firewall

    Secure Keys with a Hardware Security Module

    Table of Contents

    Secure Keys with a Hardware Security Module

    You can use hardware security modules to store and generate digital keys and encrypt master keys.
    Where Can I Use This?What Do I Need?
    NGFW (Managed by PAN-OS or Panorama)
    • No prerequisites needed
    A hardware security module (HSM) is a physical device that securely generates, stores, and manages cryptographic keys. HSMs provide both logical and physical protection of cryptographic materials against unauthorized use and tampering. Cryptographic operations (for example, certificate signing) occur exclusively inside the device, at the request of a trusted application or entity. This protection helps organizations comply with strict industry and security requirements, such as the Payment Card Industry Data Security Standard (PCI DSS) or Federal Information Processing Standards (FIPS).
    You can store and generate private keys for TLS decryption on an HSM integrated with a Next-Generation Firewall (NGFW) or Panorama. Private keys stored on these HSMs are encrypted using a master key. The NGFW or Panorama acts as a client, establishing a secure TLS connection with an external HSM server. The HSM client requests a cryptographic operation, and the HSM server performs the operation internally. The result is then sent to the HSM client. This process ensures private keys are never exposed.
    Palo Alto Networks NGFWs integrate with the following vendors:
    • SafeNet Network
    • Thales CipherTrust Manager
    • nCipher nShield
    For enhanced security, you can also store a master key on an HSM instead of the NGFW.
    To secure keys with an HSM, you need to set up connectivity between your NGFW or Strata Cloud Manager (SCM) and the HSM server, register the NGFW (or SCM) as an HSM client with the HSM server, then configure the HSM settings to encrypt master keys and store private keys, and any additional steps specific to the HSM product.

    Set Up Connectivity with an HSM (PAN-OS)

    Learn how to set up a secure connection between your NGFW and a hardware security module supported by Palo Alto Networks.
    HSM clients are integrated with PA-3200 Series, PA-3400 Series, PA-5200 Series, PA-5400 Series, PA-7000 Series, PA-7500 Series, and VM-Series firewalls and with the Panorama management server (both virtual and M-Series appliances) for use with the following HSM vendors:
    • nCipher nShield Connect—The supported client versions depend on the PAN-OS release
      • PAN-OS 11.0 and 11.1 support client version 12.40.2 (backward compatible up to client version 11.50 for older appliances).
      • PAN-OS 9.1, 9.0, and 8.1 support client version 12.30.
      • PAN-OS 8.0 and earlier releases support client version 11.62.
    • SafeNet Network—The supported client versions depend on the PAN-OS release:
      • PAN-OS 11.0 and 11.1 support client versions 5.4.2 and 7.2.
      • PAN-OS 9.1 and 9.0 support client versions 5.4.2 and 6.3.
      • PAN-OS 8.1 supports client versions 5.4.2 and 6.2.2.
      • PAN-OS 8.0.2 and later PAN-OS 8.0 releases (also PAN-OS 7.1.10 and later PAN-OS 7.1 releases) support client versions 5.2.1, 5.4.2, and 6.2.2.
    • Thales CipherTrust Manager—The supported client versions depend on the PAN-OS release:
      • PAN-OS 11.1 supports client version 8.14.1.
    The HSM server version must be compatible with these client versions. Refer to the HSM vendor documentation for the client-server version compatibility matrix.
    Downgrading HSM servers might not be an option after you upgrade them.
    (SafeNet Network prerequisite) On the firewall or Panorama, use the following procedure to select the SafeNet Network client version that is compatible with your SafeNet HSM server.
    • Install the SafeNet Client RPM Packet Manager.
      1. Select DeviceSetupHSM and Select HSM Client Version (Hardware Security Operations settings).
      2. Select Version 5.4.2 (default) or 7.2 as appropriate for your HSM server version.
      3. Click OK.
      4. (Required only if you change the HSM version on the firewall) If the version change succeeds, the firewall prompts you to reboot to change to the new HSM version. If prompted, click Yes.
      5. If the master key isn’t on the firewall, the client version upgrade will fail. Close the message and make the master key local to the firewall:
        • Edit the Hardware Security Module Provider and disable (clear) the Master Key Secured by HSM option.
        • Click OK.
        • Select DeviceMaster Key and Diagnostics to edit the Master Key.
        • Enter the Current Master Key; you can then enter that same key to be the New Master Key and then Confirm New Master Key.
        • Click OK.
        • Repeat the first four steps to Select HSM Client Version and reboot again.

    Set Up Connectivity with an HSM (SCM)

    Learn how to set up a secure connection between your Strata Cloud Manager service and a hardware security module supported by Palo Alto Networks.
    HSM clients are integrated with Strata Cloud Manager (SCM) for use with the following HSM vendors:
    • nCipher nShield Connect—The supported client version is 13.6.3.
    • SafeNet Luna—The supported client versions are 5.4.2 and 7.2.0.
    • Thales CipherTrust Manager—The supported client version is 8.14.1.
    The HSM server version must be compatible with these client versions. Refer to the HSM vendor documentation for the client-server version compatibility matrix.
    Downgrading HSM servers might not be an option after you upgrade them.
    1. Select ConfigurationNGFW and Prisma Access DeviceDevice SetupManagement.
    2. In the Hardware Security Module box, select Customize.
    3. Under Provider Configured, select one of the three HSM vendors.
    4. Enter the HSM server information.
      SafeNet Luna HSM
      1. Select + and enter the Module Name followed by an IPv4 address for the Server Address.
      2. (HA only) Select High Availability, specify the Auto Recovery Retry value (maximum number of times the HSM client tries to recover its connection to an HSM server before failing over to an HSM HA peer server; range is 0 to 500; default is 0), and enter a High Availability Group Name.
        If you configure two or more HSM servers, the best practice is to enable High Availability; otherwise, SCM does not use the additional HSM servers.
      3. Once you have entered all the HSM servers, select Save.
      nCipher nCshield Connect
      1. Select + and enter the Module Name followed by an IPv4 address for the Server Address.
      2. Enter an IPv4 address for the Remote Filesystem Address.
      3. Once you have entered all the HSM servers, select Save.
      Thales CipherTrust Manager HSM
      1. Enter the Module Name followed by an IPv4 address for the Server Address.
      2. Select Save.
    5. Once the HSM settings are saved, the Hardware Security Module box displays the provider and server of your HSM.

    © 2025 Palo Alto Networks, Inc. All rights reserved.