OVHcloud Shared HSM

What's an HSM?

A Hardware Security Module (HSM) is a dedicated, tamper-resistant hardware appliance designed to securely store, manage, and use sensitive cryptographic keys. They are commonly used in high-security or regulated environments, such as finance, government, and healthcare, where data protection is paramount. By providing a secure, certified and isolated environment for sensitive data, HSMs help prevent unauthorized access, tampering, and data breaches while allowing your infrastructure to be compliant with the highest compliance requirements.

OVHcloud HSM offers

OVHcloud is introducing a range of HSM offers to cater to different customer needs. Our HSM offerings include:

• Shared HSM: A mutualized, fully managed by OVHcloud HSM solution.
• Managed HSM: A dedicated HSM partition with high availability managed by OVHcloud
• Dedicated HSM: A dedicated HSM appliance for customers with the highest compliance requirement 

Discover OVHcloud Shared HSM

With OVHcloud Shared HSM, you can store cryptographic keys created on the OVHcloud Key Management System (KMS) on a mutualized HSM fully managed by OVHcloud. Keys stored on the HSM will have the same behavior as those stored on the Software Security Module (SSM), but with an additional layer of security.

Key Benefits:

• Chose the primary location of your cryptographic keys and benefits of integrated replication system of the OVHcloud KMS 
• Use your keys on compatible OVHcloud products or with your own data
• Define fine-grained control with the native IAM integration
• Have real-time and historical audit logs through OVHcloud Logs Data Platform.

Simplified Management:
Without the need to manage the HSM itself, you can ensure data replication and redundancy. Our pricing model is based on the number of keys stored on the Shared HSM per month, with no hidden costs or key request fees.

The roadmap for OVHcloud KMS is available on GitHub: https://github.com/orgs/ovh/projects/16/views/11

HSM Vendor Selection

At OVHcloud, we prioritize sovereignty by partnering exclusively with European vendors that meet the highest security standards, including EAL4+ and FIPS 140-2 level 3 certifications. To ensure maximum flexibility and control, we've designed our system and infrastructure to be vendor-agnostic.
For the initial deployment of our Shared HSM offer, we've selected Thales Luna HSM as our partner in the first regions to be rolled out. 

How does it work?

Seamless Integration with HSM-Stored Keys

To provide a consistent experience for both HSM-stored and SSM-stored cryptographic keys, the OVHcloud KMS automatically routes requests to the relevant backend. For HSM-stored keys, the OVHcloud KMS directs cryptographic operations to an HSM Gateway, a dedicated component that translates API requests into the HSM vendor-specific API.

Simplified HSM Management

The HSM Gateway enables us to abstract the complexity of managing the HSM, allowing us to remain completely vendor-agnostic. This means that you can use our standard REST API for HSM-stored keys, without worrying about the underlying HSM vendor or technology.
That's also the component that will assure the replication across all the HSM from the selected region, and generate backup.

What’s next on the roadmap?

Upcoming features:

• Managed HSM: Dedicated HSM partition, with the High Availability managed by OVHcloud
• Dedicated HSM: Dedicated appliance for highest compliance requirements

Subscribe now!

Stay informed about the next OVHcloud Shared HSM releases: