Cloudflare Docs
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)

Hardware security modules

In addition to private keys stored on disk, Keyless SSL supports keys stored in a Hardware Security Module (HSM) via the PKCS#11 standard. Keyless uses PKCS#11 for signing and decrypting payloads without having direct access to the private keys.

​​ Why use Keyless SSL with an HSM?

Hardware Security Modules (HSMs) facilitate a higher level of protection for your private keys over storing them directly on your key server. The primary responsibility of an HSM is safeguarding private keys and performing operations such as signing or encryption internally. In addition to access control, that means the physical device must offer some degree of tamper-resistance in order to be compliant with government or industry regulations such as FIPS 140.

Moreover, many HSMs are also capable of generating keys and producing cryptographically secure randomness. Some are purpose-built to perform cryptographic computations more efficiently.

​​ Communicating using PKCS#11

The key server communicates with HSMs via PKCS#11, so any HSM supporting the standard can be used with Keyless SSL.

​​ Initial configuration

For more details on initializing your PKCS#11 token, refer to Configuration.

​​ Compatibility

We have verified interoperability with the following modules:

We’ve also tested with the following Cloud HSM offerings:

If you have deployed Keyless SSL with an HSM model not listed above, please email with details.