What Is a Hardware Security Module? Keys That Never Leave
A hardware security module (HSM) is dedicated, tamper-resistant hardware that stores cryptographic keys and performs operations so the keys never leave it in plaintext.
A hardware security module, or HSM, is the gold standard for protecting cryptographic keys. Rather than letting a signing or encryption key sit in software where it can be copied, an HSM keeps the key inside tamper-resistant hardware and performs the cryptographic operation internally. The key never appears in plaintext outside the device, which is why HSMs guard the most sensitive keys.
How an HSM protects keys
The private key is generated inside the HSM and never exported. To sign or decrypt, you send the data in; the HSM performs the operation and returns the result. Because the key never leaves the hardware, a compromised application cannot steal it.
What makes it trustworthy
- Tamper resistance: physical attacks trigger key destruction.
- Isolation: keys never exist in plaintext outside the device.
- Auditability and access control over who can invoke operations.
Where HSMs are used
HSMs protect the highest-value keys: certificate authority roots, code-signing keys, and master encryption keys. Cloud providers offer managed HSM services so teams get hardware-grade protection without operating the device themselves.
HSMs in CI/CD
When a pipeline signs releases or container images, keeping the signing key in an HSM (or HSM-backed managed service) means the pipeline can request signatures without ever holding the raw key. A compromised runner cannot exfiltrate a key it never possesses.
HSM versus software keys
A software key, however well encrypted at rest, is decrypted into memory to be used, where it can potentially be read. An HSM never exposes the key, raising the bar from "hard to steal" to "cannot be extracted," which matters most for keys that anchor trust.
HSM-backed signing and runners
With HSM-backed signing, the runner sends data to be signed and gets a signature back, never touching the key itself. Combined with isolated, ephemeral runners (such as Latchkey managed runners), the signing material stays entirely out of reach of the build environment.
Key takeaways
- An HSM stores keys in tamper-resistant hardware and performs crypto internally.
- The key never leaves the device in plaintext, so it cannot be exfiltrated.
- HSM-backed signing lets pipelines get signatures without ever holding the key.