>
    Strata Copilot
    Secure Keys with a Hardware Security Module
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Certificate Management
    4. Secure Keys with a Hardware Security Module
    Download PDF
    Next-Generation Firewall

    Secure Keys with a Hardware Security Module

    Table of Contents

    Secure Keys with a Hardware Security Module

    You can use hardware security modules to store and generate digital keys and encrypt master keys.
    Where Can I Use This?What Do I Need?
    NGFW (Managed by PAN-OS or Panorama)
    • No prerequisites needed
    A hardware security module (HSM) is a physical device that securely generates, stores, and manages cryptographic keys. HSMs provide both logical and physical protection of cryptographic materials against unauthorized use and tampering. Cryptographic operations (for example, certificate signing) occur exclusively inside the device, at the request of a trusted application or entity. This protection helps organizations comply with strict industry and security requirements, such as the Payment Card Industry Data Security Standard (PCI DSS) or Federal Information Processing Standards (FIPS).
    You can store and generate private keys for TLS decryption on an HSM integrated with a Next-Generation Firewall (NGFW) or Panorama. Private keys stored on these HSMs are encrypted using a master key. The NGFW or Panorama acts as a client, establishing a secure TLS connection with an external HSM server. The HSM client requests a cryptographic operation, and the HSM server performs the operation internally. The result is then sent to the HSM client. This process ensures private keys are never exposed.
    Palo Alto Networks NGFWs integrate with the following vendors:
    • SafeNet Network
    • Thales CipherTrust Manager
    • Entrust nShield
    For enhanced security, you can also store a master key on an HSM instead of the NGFW.
    To secure keys with an HSM, you need to set up connectivity between your NGFW and the HSM server, register the NGFW as an HSM client with the HSM server, then configure the HSM settings to encrypt master keys and store private keys, and any additional steps specific to the HSM product.

    Set Up Connectivity with an HSM (PAN-OS)

    Learn how to set up a secure connection between your NGFW and a hardware security module supported by Palo Alto Networks.
    HSM clients are integrated with PA-3200 Series, PA-3400 Series, PA-5200 Series, PA-5400 Series, PA-7000 Series, PA-7500 Series, and VM-Series firewalls and with the Panorama management server (both virtual and M-Series appliances) for use with the following HSM vendors:
    • Entrust nShield—The supported client versions depend on the PAN-OS release:
      • PAN-OS 11.0 and 11.1 support client version 12.40.2 (backward compatible up to client version 11.50 for older appliances).
      • PAN-OS 9.1, 9.0, and 8.1 support client version 12.30.
      • PAN-OS 8.0 and earlier releases support client version 11.62.
    • SafeNet Network—The supported client versions depend on the PAN-OS release:
      • PAN-OS 11.0 and 11.1 support client versions 5.4.2 and 7.2.
      • PAN-OS 9.1 and 9.0 support client versions 5.4.2 and 6.3.
      • PAN-OS 8.1 supports client versions 5.4.2 and 6.2.2.
      • PAN-OS 8.0.2 and later PAN-OS 8.0 releases (also PAN-OS 7.1.10 and later PAN-OS 7.1 releases) support client versions 5.2.1, 5.4.2, and 6.2.2.
    • Thales CipherTrust Manager—The supported client versions depend on the PAN-OS release:
      • PAN-OS 11.1 supports client version 8.14.1.
    The HSM server version must be compatible with these client versions. Refer to the HSM vendor documentation for the client-server version compatibility matrix.
    Downgrading HSM servers might not be an option after you upgrade them.
    (SafeNet Network prerequisite) On the firewall or Panorama, use the following procedure to select the SafeNet Network client version that is compatible with your SafeNet HSM server.
    • Install the SafeNet Client RPM Packet Manager.
      1. Select DeviceSetupHSM and Select HSM Client Version (Hardware Security Operations settings).
      2. Select Version 5.4.2 (default) or 7.2 as appropriate for your HSM server version.
      3. Click OK.
      4. (Required only if you change the HSM version on the firewall) If the version change succeeds, the firewall prompts you to reboot to change to the new HSM version. If prompted, click Yes.
      5. If the master key isn’t on the firewall, the client version upgrade will fail. Close the message and make the master key local to the firewall:
        • Edit the Hardware Security Module Provider and disable (clear) the Master Key Secured by HSM option.
        • Click OK.
        • Select DeviceMaster Key and Diagnostics to edit the Master Key.
        • Enter the Current Master Key; you can then enter that same key to be the New Master Key and then Confirm New Master Key.
        • Click OK.
        • Repeat the first four steps to Select HSM Client Version and reboot again.

    © 2026 Palo Alto Networks, Inc. All rights reserved.