<img alt="" src="https://secure.weed6tape.com/193471.png" style="display:none;">
Try Securosys CloudHSM for free. Start your 90-days-trial now

Get started

About
About
Learn more about our mission, explore career opportunities, and access our resources. Discover how we’re shaping the future of cybersecurity and how you can be part of it.
Contact us
  • There are no suggestions because the search field is empty.

Challenge

Organizations increasingly rely on cloud services to store and process sensitive data, but many face strict regulatory, compliance, and sovereignty requirements that demand greater control over encryption keys. While cloud providers offer native key management services, some organizations require cryptographic keys to remain under their own governance and outside the cloud provider's direct control.

Solution

Securosys enables organizations to use AWS, Azure and Salesforce cloud services while keeping cryptographic keys securely stored in Securosys Primus HSM or CloudHSM.

At the core of this architecture is the Securosys Proxy, a secure bridge between the cloud provider's key management services and your dedicated HSM environment. The proxy allows AWS, Azure or Salesforce to request cryptographic operations without ever having access to the underlying key material.

Unlike Bring Your Own Key (BYOK), where keys are imported into a cloud-managed key service, external key management keeps key material under customer control at all times. Cryptographic objects are generated, stored, and governed within your Securosys HSM environment, while cloud services securely communicate with the HSM through the Securosys Proxy.

Organizations retain the ability to revoke the cloud provider's access to their encryption keys at any time by disconnecting the Securosys Proxy or the connection to the HSM environment, ensuring continued control over key access and governance.

This approach helps organizations meet regulatory, compliance, and data sovereignty requirements while continuing to benefit from cloud-native services. Whether deployed on-premises or in the cloud, Securosys HSMs remain the sole location where cryptographic keys are stored and used.

Supported Cloud Platforms

AWS External Key Store (XKS)

AWS External Key Store (XKS) enables AWS Key Management Service (KMS) to use cryptographic keys stored outside AWS. The Securosys XKS Proxy acts as the communication layer between AWS KMS and your Securosys Primus HSM or CloudHSM, enabling AWS services to perform cryptographic operations while key material remains under your control.

Organizations can revoke AWS's ability to perform new cryptographic operations at any time by disconnecting the Securosys XKS Proxy or the connection to the HSM, ensuring continued control over key access and governance.

Deployed as a Docker container within your AWS cloud or on-premises environment, the Securosys XKS Proxy securely forwards requests between AWS KMS and your HSM without accessing cryptographic data. This enables organizations to use AWS services while maintaining key sovereignty and supporting stringent compliance requirements.

Get Started

Azure external key management in Managed HSM

Azure external key management enables organizations to use customer-controlled cryptographic keys outside the Azure environment while integrating with Azure Key Vault Managed HSM.

When an external key operation is required, Azure Managed HSM communicates with the Securosys External Key Management (EKM) Proxy. The proxy securely forwards the request to a Securosys CloudHSM partition or an on-premises Securosys Primus HSM, where the cryptographic operation is performed. Azure workloads continue to use customer-managed keys through Azure Key Vault Managed HSM, while key material and governance remain under your control.

Delivered as an easy-to-deploy Docker container, the Securosys EKM Proxy can be deployed within Azure or in a customer-controlled environment, either on-premises or in the cloud. It securely connects Azure Managed HSM to your Securosys Primus HSM or CloudHSM using mutual TLS (mTLS), without exposing cryptographic key material.

This model strengthens data sovereignty by separating encrypted Azure workloads from the external cryptographic authority required to access them.

Organizations can also revoke Azure's ability to perform new cryptographic operations at any time by disconnecting the Securosys EKM Proxy or the connection to the HSM, ensuring continued control over key access and governance.

Salesforce Cache-Only Key Service

Salesforce Cache-Only Key Service extends Salesforce Shield Platform Encryption by allowing organizations to use encryption keys managed in Securosys Primus HSM or CloudHSM while benefiting from high performance and reliable cloud operations.

The Securosys Cache-Only Key Proxy securely connects Salesforce to your Securosys HSM environment, where Data Encryption Keys (DEKs) are generated and managed. Retrieved keys are temporarily cached within Salesforce, providing fast encryption and decryption operations while keeping control of the key lifecycle in your dedicated HSM environment.

Delivered as an easy-to-deploy Docker container, the Securosys Cache-Only Key Proxy communicates securely with both Salesforce and your Securosys Primus HSM or CloudHSM. Organizations can revoke Salesforce's ability to retrieve new encryption keys at any time by disconnecting the proxy or HSM connection, ensuring continued control over data access and key governance.

Key Benefits

key-hand-b&w
Full Data Sovereignty
Maintain complete control over your encryption keys outside the cloud provider's infrastructure. Key material remains under your own governance while cloud services continue to benefit from native encryption capabilities.
shield-b&w
Strong Security and Compliance
External key management supports demanding regulatory, audit, and sovereignty requirements. Securosys HSMs provide FIPS 140-3 Level 3 and Common Criteria EAL 4+ certified hardware security foundations.
cloud-lock-b&w
Cloud Flexibility Without Losing Control
Continue using AWS, Azure and Salesforce services while ensuring encryption keys remain in dedicated HSM environments, either on-premises or in Securosys CloudHSM deployments.
API-circle-b&w
Simple Deployment
The Securosys XKS Proxy, EKM Proxy and Salesforce Cache-Only Key Proxy are delivered as Docker containers and can be deployed quickly within existing infrastructures.
locket-circle-blocks-b&w
Scalable Architecture
Securosys Primus HSM technology supports a broad range of performance requirements, from smaller deployments to high-volume transaction environments.

FAQ

What is external key management?
External key management allows cloud services to use cryptographic keys that remain outside the cloud provider's infrastructure. Instead of storing keys within cloud-managed key services, organizations keep their keys in a dedicated Securosys HSM environment while cloud services request cryptographic operations through a secure proxy.
What is the difference between external key management and BYOK?
Bring Your Own Key (BYOK) allows organizations to generate keys outside the cloud and then import them into a cloud-managed key service. With external key management, the keys remain outside the cloud provider's environment at all times. Cryptographic operations are performed using keys stored in a dedicated HSM, giving organizations greater control over key governance and access.
Why use external key management?
Organizations use external key management to strengthen data sovereignty, maintain independent control over cryptographic keys, meet regulatory requirements, and reduce reliance on cloud-provider-controlled key infrastructure while continuing to benefit from cloud services.
How does the Securosys Proxy work?
The Securosys Proxy acts as a secure bridge between cloud provider key management services and Securosys HSMs. It receives cryptographic requests from AWS, Azure or Salesforce securely forwards them to Securosys Primus HSM or CloudHSM, and returns the result. The proxy never stores or accesses the underlying cryptographic key material.
Does the Securosys Proxy have access to my keys?
No. The Securosys Proxy forwards requests between the cloud platform and the HSM but does not store, manage, or access the cryptographic key material. Cryptographic operations are performed by the Securosys HSM.
Can I keep my encryption keys outside my cloud provider?

Yes. Securosys enables AWS, Azure, and Salesforce to use cryptographic keys managed in Securosys Primus HSM or CloudHSM while keeping key material under your control.

For AWS, the Securosys XKS Proxy enables AWS Key Management Service (KMS) to perform cryptographic operations using keys stored outside AWS.

For Azure, the Securosys External Key Management (EKM) Proxy enables Azure Key Vault Managed HSM to securely interact with externally managed keys stored in Securosys HSMs.

For Salesforce, the Securosys Cache-Only Key Proxy enables Salesforce Cache-Only Key Service to retrieve Data Encryption Keys (DEKs) from Securosys HSMs while maintaining customer control over the key lifecycle.

Which cloud platforms are supported?
Securosys provides dedicated proxy solutions for AWS External Key Store (XKS), Azure external key management with Azure Key Vault Managed HSM, and Salesforce Cache-Only Key Service enabling secure integration between cloud services and Securosys HSM environments.
Where can the Securosys Proxy be deployed?
The Securosys Proxy is delivered as a Docker container and can be deployed within customer-controlled environments, either on-premises or in the cloud, depending on the architecture and operational requirements.
Is there a free trial?
Yes, with CloudHSM free trial you can try out any Securosys External Key Management Proxy.
How much does it cost?
Securosys External Key Management Proxy can be obtained free of charge as an extension to an existing Primus HSM purchase or CloudHSM subscription. 
Is the Securosys Proxy available as a managed service?
All our Securosys Proxies are available as a managed service. If you are interested in a managed deployment, please contact us to discuss the available options.
Who is responsible for managing the Securosys Proxy?
When deployed in your environment, the Securosys Proxy is fully managed and controlled by your organization. For additional information, please refer to our End User License Agreement (EULA).