Frequently Asked Questions (FAQ)

Q: Is NetHSM FIPS or Common Criteria certified?

Not yet but we are aiming for certifications in the future. Please contact us if you are interested in supporting these efforts.

Q: Which protections against physical tampering are in place?

NetHSM is sealed which allows to detect physical tampering. It contains a TPM which is protected against physical tampering. The TPM is the root of trust and securely stores cryptographic keys which are used to encrypt and decrypt further data and keys in the NetHSM. This protects against booting malicious firmware and software and decrypting data and keys being stored. The current NetHSM doesn’t contain additional sensors to detect tampering.

Q: Where can I learn more about NetHMS’s security architecture and implementation?

Start with the chapters Getting Started, Administration and Operations. Proceed with the following resources.

• Overall system design

• Security assessment report

• Full source code

• Physical random number generator (TRNG) of quality PTG.3 according to AIS-20: hardware, firmware

Q: Roadmap: Which features are planned?

Work in progress:

• Direct, dynamic cluster capability, possibly support for external database

• NetHSM as a service offering

We plan the following developments in the loose order. Changes to this prioritization based on customer requests are common.

• cryptographic enhancements: KDF, HMAC, AES GCM

• Quorum: m-of-n access scheme and security domain management

• Post-quantum cryptography (PQC) algorithms such as ML-DSA

• Windows Key Storage Provider (KSP)

• Productive usable software container

• BIP32 key derivation function

• User authentication via mTLS certificates or FIDO

• More user rights management (e.g. additional roles, groups)

• FIPS and/or Common Criteria certifications

• Further separations and hardenings

• Performance improvements

• Remote attestation