[{"data":1,"prerenderedAt":79},["ShallowReactive",2],{"$kqlJS1itLxekl":3},{"code":4,"status":5,"result":6},200,"OK",{"blocks":7,"objectives":66,"title":73,"subheading":74,"intro":75,"related":76,"browser":77,"description":78},[8,14,20,24,29,33,37,41,46,50,54,58,62],{"content":9,"id":11,"isHidden":12,"type":13},{"text":10},"\u003Cp>Hardware security tokens specifically address the possibility that a malicious actor could obtain a copy of a legitimate owner’s private key and use it to sign \u003Ca href=\"/learning/malware/what-is-malware\">malware\u003C/a>. As the private key had been issued by a trusted\u003Ca href=\"/learning/ssl/what-is-a-certificate-authority\"> Certificate Authority\u003C/a>, this would allow malware to easily go undetected for a potentially long stretch of time and cause a huge amount of damage. Hardware security tokens generate an internal private key that is stored on a secure onboard chip, making it non-exportable. The token performs signing operations internally, which means there’s no file to steal, copy, or leak.\u003C/p>\u003Cp>Hardware tokens are the current signature delivery mechanism of choice for Certificate Authorities \u003Ca href=\"/ssl-certificates/code-signing\">issuing code-signing certificates\u003C/a>. CAs ship pre-configured tokens with private keys on board, making the process of signing easy and foolproof.\u003C/p>","01886138-933a-4f53-b1d1-0177d684c3d6",false,"text",{"content":15,"id":18,"isHidden":12,"type":19},{"level":16,"text":17},"h2","Hardware Security Token vs. HSM","269a685a-d7a6-46d9-b5b1-efe7f5e830a7","heading",{"content":21,"id":23,"isHidden":12,"type":13},{"text":22},"\u003Cp>HSM stands for Hardware Security Module, which is a related but distinct form factor:\u003C/p>","640b41ea-9d74-46ce-a558-14de792bccd3",{"content":25,"id":27,"isHidden":12,"type":28},{"text":26},"\u003Ctable width=\"100%\" border=\"0\" cellspacing=\"2\" cellpadding=\"5\">\n  \u003Ctbody>\n    \u003Ctr>\n      \u003Cth bgcolor=\"#EBEBEB\" scope=\"col\">&nbsp;\u003C/th>\n      \u003Cth bgcolor=\"#EBEBEB\" scope=\"col\">Hardware Security Token\u003C/th>\n      \u003Cth bgcolor=\"#EBEBEB\" scope=\"col\">Hardware Security Module (HSM)\u003C/th>\n    \u003C/tr>\n    \u003Ctr>\n      \u003Cth bgcolor=\"#EBEBEB\" scope=\"row\">Form Factor\u003C/th>\n      \u003Ctd>Smart card or USB dongle\u003C/td>\n      \u003Ctd>Rack-mounted appliance or cloud service\u003C/td>\n    \u003C/tr>\n    \u003Ctr>\n      \u003Cth bgcolor=\"#EBEBEB\" scope=\"row\">Use Case\u003C/th>\n      \u003Ctd>Small developers\u003C/td>\n      \u003Ctd>Enterprises, CAs, institutions\u003C/td>\n    \u003C/tr>\n    \u003Ctr>\n      \u003Cth bgcolor=\"#EBEBEB\" scope=\"row\">Price\u003C/th>\n      \u003Ctd>Low\u003C/td>\n      \u003Ctd>Organisation name\u003C/td>\n    \u003C/tr>\n    \u003Ctr>\n      \u003Cth bgcolor=\"#EBEBEB\" scope=\"row\">Example\u003C/th>\n      \u003Ctd>SafeNet, Gemalto 5100/5110\u003C/td>\n      \u003Ctd>Azure Key Vault\u003C/td>\n    \u003C/tr>\n  \u003C/tbody>\n\u003C/table>","a63754ca-8af6-47a7-8e77-c8d7cc1dc4dc","html",{"content":30,"id":32,"isHidden":12,"type":13},{"text":31},"\u003Cp>The key difference between a Hardware Security Module and a Hardware Security Token is in scale: both otherwise serve the same purpose and satisfy the same compliance standards.\u003C/p>","45c73f32-0cf5-47ef-9fd6-4396117a2c6b",{"content":34,"id":36,"isHidden":12,"type":19},{"level":16,"text":35},"Why is Hardware Storage Necessary?","2aea28a6-d17f-4875-aed1-f77cbee8271c",{"content":38,"id":40,"isHidden":12,"type":13},{"text":39},"\u003Cp>Hardware key storage became a hard requirement as of June 2023, when the CA/Browser Forum enacted a new code-signing standardisation. While \u003Ca href=\"/verokey/ev-code-signing-certificate\">EV code signing certificates\u003C/a> did have this requirement in place before, \u003Ca href=\"/verokey/secure-code-signing-certificate\">OV code signing certificates\u003C/a> could be issued as downloadable files, meaning the private key was stored as an executable on the developer’s machine.\u003C/p>\u003Cp>Now, all code signing certificates must have their private keys stored on hardware certified to one of the following standards:\u003C/p>","c8609ed5-a20a-454a-b590-71848f35345f",{"content":42,"id":44,"isHidden":12,"type":45},{"text":43},"\u003Cul>\u003Cli>\u003Cp>FIPS 140-2 Level 2 by NIST\u003C/p>\u003C/li>\u003Cli>\u003Cp>Common Criteria EAL 4+, which is an international security evaluation framework\u003C/p>\u003C/li>\u003C/ul>","8a06aa4b-bba8-4832-8ac6-2a921fd4f083","list",{"content":47,"id":49,"isHidden":12,"type":13},{"text":48},"\u003Cp>These standards outline the minimum requirements for randomness generation, key storage, and resistance to physical tampering.\u003C/p>","e38bffd6-e6fb-45a1-9b7e-ed347a4f3d9c",{"content":51,"id":53,"isHidden":12,"type":19},{"level":16,"text":52},"Azure Key Vault as an Alternative to HSMs","f5958249-bb8d-4834-bfdc-f70e6f2ae0c5",{"content":55,"id":57,"isHidden":12,"type":13},{"text":56},"\u003Cp>Cloud services can serve the same function as dedicated rack-mounted HSMs do, with \u003Ca href=\"/help/setup-guides/code-signing-on-azure-key-vault-with-signtool\">Azure Key Vault\u003C/a> as an example. For companies operating within the Microsoft Azure ecosystem, this is a viable alternative to purchasing and maintaining a bespoke appliance.\u003Cbr>Azure Key Vault comes in Standard and Premium tiers, with the latter offering options to generate and store keys on dedicated HSM hardware. The signing workflow also integrates with Azure’s APIs, programmatically triggering signing operations without the key leaving Azure’s hardware context.\u003C/p>\u003Cp>The main downside to relying on Azure Key Vault is operational: developers are dependent on cloud connectivity and must operate within Microsoft’s platform, with ongoing subscription costs.\u003C/p>","b19c528b-517a-4ba1-a686-70e0b513cc2c",{"content":59,"id":61,"isHidden":12,"type":19},{"level":16,"text":60},"To Summarize","4128b5e9-377f-4eb4-881b-f8ef5849b912",{"content":63,"id":65,"isHidden":12,"type":13},{"text":64},"\u003Cp>A hardware security token is a tamper-resistant device that stores an issued cryptographic private key, making it easy to use and impossible to extract. All code signing certificates (both OV and EV) now necessitate dedicated FIPS 140-2 Level 2 or Common Criteria EAL 4+ compliant hardware, eliminating the risk of private key theft via file access. Physical USB tokens, rack-mounted HSMs, and cloud-based equivalents can be used to meet these requirements, depending on the user’s scale of operations and cost expectations.\u003C/p>","1c4df3ac-8563-47f2-8ba9-83f41886b719",[67,69,71],{"text":68},"Explain what a hardware security token is",{"text":70},"Distinguish between a hardware security token, and a Hardware Security Module",{"text":72},"Understand why hardware storage is a prerequisite","What are Hardware Security Tokens (HSM)","A Comprehensive Explanation","A hardware security token is a physical device that generates, stores, and leverages cryptographic keys in tamper-resistant hardware, ensuring that keys cannot be extracted from the device in a usable form.",[],"","Hardware Security Modules (HSMs) protect your private keys. Learn how FIPS-compliant physical and cloud HSMs secure your code signing process and why they are now required.",1776830403203]