Protect private keys with a Hardware Security Module

Integrate the CipherMail Email Encryption Gateway with a Hardware Security Module (HSM).

how it works

Hardware Security Module

Like any application which uses private keys, there is always the issue on how to securely store sensitive private key material. The CipherMail gateway stores all settings, including keys and certificates, in a database.

To make sure that private keys can never be copied, even with full physical access, a Hardware Security Module (HSM) can be used.

An HSM is basically a big smart card. It generates private keys directly on the device and stores the private keys on tamperproof hardware. An HSM also provides additional security functionality like for example a built-in secure random generator.

For FIPS 140 level 2 and up, an HSM is required because FIPS 140-2 requires physical security mechanisms.

CipherMail Gateway with HSM

HSM support

HSMs from the following vendors are supported:

  • nCipher
  • Thales (formerly Safenet)
  • Utimaco
  • Securosys

S/MIME and PGP support

S/MIME private keys and PGP secret keys can be HSM protected.


The DKIM module can use the HSM for secure DKIM signing.

EDI@Energy support

EDI@Energy required algorithms are supported