What is a Hardware Security Module?

HSMs are dedicated hardware devices that provide high-security key management for encryption.

Why use HSMs for key management?

HSMs provide the strongest key security because keys never leave the tamper-resistant hardware in unencrypted form.

When are HSMs typically required?

HSM-backed key management is typically required in industries with strict encryption compliance requirements.

Hardware Security Module (HSM)

Administration🟢 Beginner

Definition

In Salesforce Shield Platform Encryption, a dedicated tamper-resistant hardware device used to securely generate, store, and manage encryption keys, providing an additional layer of key security for sensitive data.

Real-World Example

When an admin at Redwood Financial needs to streamline operations, they turn to Hardware Security Module (HSM) to ensure the Salesforce org runs smoothly and securely. They configure Hardware Security Module (HSM) during a scheduled maintenance window, test it in a sandbox first, and then deploy to production. The result is tighter security and a more streamlined experience for all 200 users in the org.

Why Hardware Security Module (HSM) Matters

In Salesforce Shield Platform Encryption, a Hardware Security Module (HSM) is a dedicated tamper-resistant hardware device used to securely generate, store, and manage encryption keys. HSMs provide an additional layer of key security beyond software-based approaches because the cryptographic operations happen inside the tamper-resistant hardware, and the keys never leave the device in unencrypted form. This makes HSMs the gold standard for high-security key management.

HSMs matter most in the most security-sensitive environments: financial services, government, healthcare, and any organization with strict compliance requirements around encryption key handling. For Salesforce Shield Platform Encryption, HSMs come into play with customer-managed keys (BYOK), where the customer's external key management system uses HSMs to generate and store the keys. The Salesforce platform itself uses HSMs internally for its key management infrastructure. For most organizations, the HSM details are abstracted away by the key management system; what matters is whether your compliance program requires HSM-backed key handling.

How Organizations Use Hardware Security Module (HSM)

•Coastal Health — Uses BYOK with HSM-backed key generation in their external KMS to satisfy HIPAA's strict key handling requirements.
•Redwood Financial — Requires HSM-backed key management for all encryption used with customer financial data, following banking regulator guidance.
•ShieldGuard Security — Documents whether each part of their key management infrastructure uses HSM-backed keys as part of their compliance evidence.