Nitrokey NetHSM cryptographic key store

NetHSM - Open Hardware Security Module

Secure cryptographic key store (e.g. TLS of web servers, DNSSEC, PKI, CA, blockchain)
Open source allows you to verify the absence of backdoors
Easy to use thanks to a modern REST interface and modern software tools

- Store cryptographic keys for TLS, DNSSEC, PKI and CA web servers on NetHSM hardware connected to the network.
- Private keys are safe against server hacks and physical breaches of data center security.
- Meets safety compliance requirements.
- High security thanks to Open Source that allows you to verify the absence of back doors.
- Enables independent security audits and easy customization.
- Avoids supplier dependence.
- Modern interface and easy-to-use REST tools.
- Can be easily managed via command line software.
- Client systems can easily integrate REST APIs using SDKs available in 35 programming languages ​​or using the PKCS#11 module.
- All NetHSM tools, drivers and documentation are publicly available without the need for an NDA.
- A single NetHSM module can handle thousands of key operations per second.
- NetHSM is stateless, several devices can be clustered to provide extremely high throughput and high availability.
- NetHSM can also be deployed as a cloud container (planned).

The main system is implemented from scratch in a memory- and type-safe functional programming language (OCaml).
This applies to all levels – even TCP/IP, HTTP, TLS and the application stack. This approach ensures the exclusion of an entire class of potential security vulnerabilities, namely buffer overflows and other memory access errors, which typically cause 70% of all security vulnerabilities.

The NetHSM operating system is based on the so-called "unikernel" (MirageOS). Unikernels combine the functionality of the operating system and applications in specially adapted software that does not contain unnecessary code. For example, NetHSM does not even include a terminal shell and cannot be displayed on the screen. In this way, we achieve a very small overall system size (~30 MB), which results in a minimal attack vector.

NetHSM includes a formally verified microkernel (Muen) ensuring the highest level of security. Its formal verification mathematically guarantees that the kernel does not contain any runtime errors. The microkernel architecture ensures that only the minimum set of required features are provided without additional and potentially harmful features.

To provide additional security, the formally verified microkernel separates functional blocks from each other. This includes platform device drivers, network interface, and actual application logic. For example, if attackers manage to compromise a network driver, they will be unable to access cryptographic keys. This is different from most regular operating systems where device drivers run with root privileges.

All cryptographic keys are stored in encrypted form. This approach ensures that all keys remain securely encrypted even if attackers steal the entire device. Makes brute-force attacks and hardware attacks using laboratory equipment ineffective.

Nitrokey, NetHSM, magazyn kluczy kryptograficznych, klucze kryptograficzne, sprzętowy moduł bezpieczeństwa, klucze kryptograficzne dla serwerów internetowych, TLS, DNSSEC, PKI, CA, OCaml, fizyczne naruszenie bepieczeństwa, niezależne audyty bezpieczeństwa, narzędzia REST, język programowania bezpieczny dla pamięci, klucze kryptograficzne są przechowywane w postaci zaszyfrowanej,
ataki brute-force, ataki sprzętowe, cryptographic keystore, cryptographic keys, hardware security module, cryptographic keys for web servers, physical security breach, independent security audits, REST tools, memory-safe programming language, cryptographic keys are stored in the form encrypted, brute-force attacks, hardware attacks,
klucz bezpieczeństwa, klucz sprzętowy, klucz zabezpieczający komputer, dwuetapowe uwierzytelnianie, zabezpieczenia kont w portalach internetowych, potwierdzenie tożsamości podczas logowania, klucz unikalny, security key, hardware key, computer security key, two-step authentication, security of accounts on Internet portals, identity confirmation when logging in, unique key, Sicherheitsschlüssel, Hardwareschlüssel, Computer-Sicherheitsschlüssel, Zwei-Faktor-Authentifizierung, Sicherheit von Konten auf Internetportalen, Identitätsbestätigung beim Anmelden, eindeutiger Schlüssel,