Frequently Asked Questions (FAQ)

Q: Is NetHSM FIPS or Common Criteria certified?

Not yet but we are aiming for certifications in the future. Please contact us if you are interested in supporting these efforts.

Q: Which protections against physical tampering are in place?

NetHSM is sealed which allows to detect physical tampering. It contains a TPM which is protected against physical tampering. The TPM is the root of trust and securely stores cryptographic keys which are used to encrypt and decrypt further data and keys in the NetHSM. This protects against booting malicious firmware and software and decrypting data and keys being stored. The current NetHSM doesn’t contain additional sensors to detect tampering.

Q: Where can I learn more about NetHMS’s security architecture and implementation?

Start with the chapters Getting Started, Administration and Operations. Proceed with the following resources.

• Overall system design

• Security assessment report

• Full source code

• Physical random number generator (TRNG) of quality PTG.3 according to AIS-20: hardware, firmware

Q: Roadmap: Which features are planned?

We plan the following developments in the loose order. Changes to this prioritization based on customer requests are possible.

• Productive usable software container

• Additional ECC: ECDH (X25519, NIST), secpXk (Koblitz) , Brainpool

• Quorum: m-of-n access scheme and security domain management

• Performance improvements

• Direct, dynamic cluster capability, possibly support for external database

• Remote attestation and cloud service

• User authentication via mTLS certificates or FIDO

• More user rights management (e.g. additional roles, groups)

• Further separations and hardenings

• FIPS and/or Common Criteria certifications

• Redundant power supplies