<img alt="" src="https://secure.weed6tape.com/193471.png" style="display:none;">
Download Supported Algorithms

Primus X-series

Primus X-Series Hardware Security Modules (HSMs) are available in different performance classes (X400/X1000). In its most powerful implementation, the Primus X1000 HSM is capable to perform 1200 RSA-4096 operations per second. The Primus X-Series HSM can be managed with our remote access device Decanus.

Primus x-Serie


Key Management and Encryption

The Primus X-Series HSM performs a wide range of operations. It generates encryption keys, stores these keys, and manages the distribution of these keys. Besides key management, it also performs authentication and encryption tasks. Multiple Primus HSMs can be grouped together in a self-synchronizing cluster to support geo-redundancy and load balancing. Each Primus can also be partitioned for multiple applications. Primus supports symmetric (AES, 3DES), asymmetric (RSA, ECC, Diffie-Hellman), cryptographic hash algorithms (SHA-2, SHA-3), as well as advanced encryption standard-cipher message authentication code (AES-CMAC) for symmetric key diversification.

True Random Numbers Generation (TRNG)

High-entropy encryption keys are paramount to provide the highest security. The Primus X-Series HSM has multiple true random number generation (TRNG) modules.  They are built up with separate hardware components and get their randomness from different physical noise mechanisms.

Crypto-Agile Architecture

Due to its dynamic architecture, the Primus HSM is quantum computer ready. Should quantum computers make any of the supported algorithms to become obsolete, then a quantum computer safe algorithm may be installed through a firmware/software upgrade.

Primus X-Series @Securosys

Primus X-Series Gallery

Business Advantage

Primus X-Series HSMs are secure and tamper-proof network security appliances. They are ideally suited to fulfill the highest requirements in high availability systems. Multiple HSMs can be grouped together as clusters across different datacenters, countries, or even continents to provide load balancing and fail-over. In addition, each unit is equipped with two redundant hot pluggable power supplies (AC or DC).

Unlimited Clients Connexion
There is no limit on the number of users and clients that can access the Primus X-Series HSM. Applications can connect either through Java (JCE/JCA), Windows (CNG, PKCS#11), or Linux (PKCS#11, openSSL) providers to the Primus X-Series.
Over 1 Million Keys
The Primus X-Series hardware security module can be configured with up to 120 partitions, each providing up to 240MB protected storage space. It can securely hold over one million keys or objects.
Prevent Tampering
Special care has been taken in the Primus X-Series HSM to detect and prevent tampering that go beyond FIPS and Common Criteria certification requirements. Multiple tamper sensors ensure proper operation and handling of the Primus X-Series HSM. If triggered, they will erase all key material.
Store Keys
The Primus X-Series HSM store cryptographic keys and provision encryption, decryption, authentication and digital signing services. They are essential to manage and provide protection for transactions, identities and applications.
Protect Sensitive Data
Protect your sensitive data and transactions with industry-leading security in the highest performance HSM. Integrate the Primus X-Series Hardware encryption devices directly into environments for on-site data security.
Transport Protection
The tamper sensors are also in operation when the HSM is unpowered. So, even when the HSM is in transit or held instorage, the HSM is protecting itself against any attempt to manipulate it and will notify its owner when powered up again.
Fully Shielded
To protect against side-channel attacks the Primus X-Series HSM is enclosed in a heavy aluminum casing. Moreover the critical cryptographic core is additionally shielded inside the box. This results in essentially no electro-magnetic (EM) radiation.

API Integration

Primus HSM offers a wide range of APIs for their integration. The APIs are either offered natively by the HSM or via a software layer. Securosys offers API providers (client API software / libraries) that are installed on the application server and ensure secure communication with the HSM and provide automatic failover and load balancing, optionally based on priority classes.

Clients are free to choose the API that best suits their requirements:

  • Best for complex architectures with different software stacks and languages 
  • Upgradable to Transaction Security Broker
  • External software module 
  • Best for Java integration 
  • Enhanced feature support: multi-authorization, cryptocurrency, key attestation, and other 

  • Best for applications using PKCS#11 standard interface, e.g. OpenSSL, Apache, NGINX, PKI, KMS and many programming language libraries. 
Microsoft CNG
  • Best for Microsoft Windows operating systems 
  • Native integration for many applications using Cryptography Next Generation interface (CNG) 


Security architecture

  • Multi-barrier software and hardware architecture with supervision mechanisms

Encryption/Authentication (extract)

  • 128/192/256-Bit AES with GCM-, CTR-, ECB-, CBC-, MAC Mode
  • Camellia, 3DES (legacy), ChaCha20-Poly1305, ECIES
  • RSA 1024-8192, DSA 1024-8192
  • ECDSA 224-521, GF(P) arbitrary curves (NIST, Brainpool,...)
  • ED25519, Curve25519
  • Diffie-Hellman 1024, 2048, 4096, ECDH
  • SHA-2/SHA-3 (224 - 512), SHA-1, RIPEMED-160, Keccak
  • HMAC, CMAC, GMAC, Poly 1305
  • Upgradeable to quantum computer-resistant algorithms

Key Generation

  • Two hardware true random number generators (TRNG)
  • NIST SP800-90 compatible random number generator

Key Management

  • Key capacity: up to 30 GB
  • Up to 120 partitions @ 240 MB secure storage


  • Number of client connections not restricted
  • Unlimited number of backups

Anti-Tamper Mechanisms

  • Several sensors to detect unauthorized access
  • Active destruction of key material and sensitive data on tamper
  • Transport and multi-year storage tamper protection by digital seal

Attestation and Audit Features

  • Cryptographic evidence of audit relevant parameters (keys, configuration, hardware, states, logs, time-stamping)

Identity-based Authentication

  • Multiple security officers (m out of n)
  • Identification based on smart card and PIN, using Decanus Terminal, or through virtual Smartcard,

Software integration

  • JCE/JCA Provider
  • PKCS#11 provider, OpenSSLv3, Apache, Nginx, P11-Kit
  • Microsoft CNG/ KSP
  • REST (TSB Module) 


  • IPv4/IPv6
  • Interface bonding (LACP or active/backup) 
  • Active clustering of multiple units for load-balancing and fail-over 
  • Monitoring and log streaming (SNMPv2, syslog/TLS)

Device Management

  • Local configuration (GUI, Console)
  • Remote administration (Decanus Terminal)
  • Local and remote firmware update
  • Secure log and audit
  • Enhanced diagnostic functions

Performance (transactions per second)

  RSA 4096 ECC 256 ECC 521 AES 256
X 1000 1000 3000 550 5000
X 400 400 3000 550 2000


  • Two redundant power supplies, hot pluggable, choice:
    • 100...240 V AC, 50...60 Hz
    • 36…75 V DC
  • Power dissipation: 60 W (typ.), 80 W (max.)
  • Ultra capacitors for data retention
  • Backup lithium battery: Lithium Thionyl Chloride 0.65g Li, IEC 60086-4, UL 1642, 3.6V


  • 4 Ethernet RJ-45 ports 1 Gbit/s (rear)
  • 1 RS-232 management port (front)
  • 1 USB management port (front)
  • 3 smart card 


  • 3 slots for Securosys security smart cards
  • 4 LEDs for system and interface status (multicolored)
  • 1 liquid crystal display for management information 
  • Console interface
  • Optional Decanus Remote Terminal

Environmental Test Specifications

  • EMV/EMC: EN 55022, EN 55024, FCC Part 15 Class B
  • Safety: IEC 62386-1


  • Temperature ranges (IEC 60068-2-1 Ad, IEC 60068-2-2 Bd): 
    storage -25...+70 °C; operation 0...+40 °C (recommended +1...+30°C) 
  • Humidity (IEC 60068-2-78 Cab): 
    40 °C, 93% RH, non-condensing
  • MTBF (RIAC-HDBU-217Plus) at tamb=25 °C: 100 000 h
  • Dimensions (w×h×d) 440 x 88 x 441 mm
    (2U 19" EIA standard rack)
  • Weight 13.5 kg


  • FIPS140-2 Level 3
  • CC EN 419221-5 eIDAS protection profile
  • CE, FCC, UL

Didn't find what you were looking for?

Please find here our products overview or solutions overview page.

Contact us

Contact us if you want to know more about our products and offering.

Hinterlassen Sie uns Ihre Nachricht hier