Home Solutions Data Security and Security Operations Encryption & Key Management Thales HSM (Hardware Security Module)
Encryption & Key Management

Thales HSM (Hardware Security Module)

They are devices with high reliability developed to securely store cryptographic keys in a secure environment. They ensure the security of cryptographic keys to securely manage and process cryptographic operations within organizations. These d

Thales HSM (Hardware Security Module)
About Solution

Thales HSM (Hardware Security Module)

Thales HSM (Hardware Security Module) is a physical, high-security hardware appliance designed for enterprises, financial institutions, and governments to generate, store, and manage their most critical digital keys (encryption keys, digital signatures, certificates).

Keeping encryption keys on standard servers or in software environments poses a major risk against cyberattacks. Thales HSM protects these keys inside a fully isolated, tamper-proof physical vault (cryptographic vault) that can self-destruct if tampered with.

The Thales HSM family consists of three main product lines, each optimized for different use cases and technical needs. The use cases and distinctive features of the Luna, ProtectServer, and Payment (payShield) models are as follows:

Thales Luna HSM (General Purpose and Cloud-Compatible)

This is Thales’s flagship General Purpose HSM model. It is designed for standard enterprise security needs such as data encryption, digital signatures, PKI (Public Key Infrastructure), SSL/TLS offloading, and identity management.

  • Hardware Partitioning: A single device can be divided into more than 100 isolated cryptographic vaults, allowing it to be leased to different departments or customers (multi-tenancy).
  • High Speed: High-performance models are available that can perform tens of thousands of cryptographic operations per second.
  • Form Factors: Offers Luna Network HSM (network type) for data centers, Luna PCIe HSM that plugs directly into a server, and Luna Cloud HSM for cloud-based hybrid architectures.

Thales ProtectServer HSM (Custom Code Execution Capability)

Beyond being a general-purpose HSM, ProtectServer is a specialized model that allows organizations to run their own custom cryptographic algorithms or sensitive software code directly within the HSM’s secure hardware boundary.

  • FM (Functionality Modules) Support: Beyond standard encryption algorithms (AES, RSA, etc.), if your organization has a custom-developed encryption algorithm or business logic, that code is embedded inside the HSM. The code runs within FIPS 140-2 Level 3 protected hardware and cannot be extracted.
  • Flexible Software Development: Offers comprehensive SDKs for developers. Especially preferred in smart card projects, custom passport/ID production systems, and military/government projects requiring a high degree of customization.
  • Network and PCIe Options: Like Luna, ProtectServer can be deployed as a Network appliance or as an in-server PCIe card.

Thales Payment HSM / payShield (Payment Systems)

This is a Transaction/Payment HSM model built specifically for the finance and banking sector, securing a very large share of the world’s credit card and ATM transactions. In the industry it is known as Thales payShield (currently the payShield 10K series).

  • Financial Regulatory Compliance: In addition to general-purpose HSM certifications, it holds the PCI-HSM certification, the strict standard of the payment industry.
  • Payment-Focused Functions: Directly supports, in hardware, ATM PIN verification, credit card chip (EMV) generation and verification, mobile payment tokenization such as Apple Pay / Google Pay, and interbank clearing processes.
  • High-Volume Transaction Power: Fully optimized for financial messaging protocols so that it can process banks’ instantaneous, thousands-strong card payment requests with low latency.

Talk to us about this solution

Reach out for licensing, architecture and technical requirements.