Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
    • Yandex Cloud Partner program
  • Blog
  • Pricing
  • Documentation
© 2025 Direct Cursus Technology L.L.C.
Yandex Key Management Service
  • Getting started
    • Overview
      • Symmetric key
      • Key version
      • Symmetric encryption
      • Hardware security module (HSM)
    • Envelope encryption
    • Key consistency
    • Quotas and limits
  • Access management
  • Pricing policy
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • FAQ

In this article:

  • HSM in Key Management Service
  • HSM operating procedure
  • Enabling the HSM for a key
  • Use cases
  1. Concepts
  2. Symmetric encryption
  3. Hardware security module (HSM)

Hardware security module (HSM)

Written by
Yandex Cloud
Updated at March 31, 2025
  • HSM in Key Management Service
    • HSM operating procedure
    • Enabling the HSM for a key
  • Use cases

A hardware security module (HSM) is a specialized computing device that is designed to perform cryptographic operations with a high level of security.

Traditionally, HSMs are used in applications where encryption must provide a level of protection at which the cost and complexity of a successful attack limit potential perpetrators to a small number of highly skilled individuals.

HSM in Key Management ServiceHSM in Key Management Service

HSMs that are used in Yandex Cloud are special-purpose protected physical servers supplied by CRYPTO-PRO LLC, a manufacturer of information encryption tools.

This hardware implements a set of solutions to protect a cryptographic asset throughout its life cycle, such as:

  • Trusted operating system.
  • Tamper-proof housing.
  • Protection from power supply voltage and ambient temperature fluctuations.
  • Robust random number generators.
  • Protection against human error (minimized chance of hardware misconfiguration).
  • Trusted operating system bootup.

HSM operating procedureHSM operating procedure

In Key Management Service, you can create a symmetric encryption key whose every cryptographic operation will be handled only inside the HSM. The HSM will also generate the key itself. In this situation, the user's key resides in the Key Management Service service database only in encrypted form. The HSM uses its master key, which never leaves the HSM, to encrypt the user key.

For all cryptographic operations, the symmetric key will be transmitted to the HSM. The HSM handles all cryptographic operations with the user key only internally and only returns the results of such operations to Key Management Service.

A cryptographic operation using the HSM includes the following steps:

  1. The Key Management Service database supplies a user key in encrypted form.
  2. The encrypted key is forwarded to the HSM along with the user data.
  3. The HSM decrypts the user key using the HSM master key.
  4. The HSM performs a cryptographic operation with the user data using the decrypted key.
  5. The HSM destroys the decrypted user key.
  6. The data goes back to the user.

Enabling the HSM for a keyEnabling the HSM for a key

To use the HSM, select the AES-256 HSM algorithm type when creating a symmetric key. The HSM will handle all operations with this key internally, and no additional actions are required.

Use casesUse cases

  • Managing KMS keys with Hashicorp Terraform
  • Auto Unseal in Hashicorp Vault
  • Secure password transmission to an initialization script

Was the article helpful?

Previous
Symmetric encryption
Next
Encryption key pair
© 2025 Direct Cursus Technology L.L.C.