Primus X-Series Hardware Security Module (HSM) are available in different performance classes (X200/X400/X700/X1000). In its most powerful implementation, the Primus X1000 HSM is capable to perform 1200 RSA-4096 operations (or about 4000 RSA-2048) per second. The Primus X-Series HSM can be optionally controlled with our remote access device Decanus.
The Primus X-Series HSM performs a wide range of operations. It generates encryption keys, stores these keys, and manages the distribution of these keys. Besides key management, it also performs authentication and encryption tasks. Multiple Primus HSMs can be grouped together to support redundancy and load balancing. Each Primus can also be partitioned for multiple users. Primus supports symmetric (AES, 3DES), asymmetric (RSA, ECC, Diffie-Hellman), and hashing (SHA-2, SHA-3) cryptographic algorithms.
High entropy encryption keys are generated in separate hardware true random number generation (TRNG) modules based on different physical noise mechanisms. Primus also contains an ultra secure vault implemented inside a dedicated security chip. The Securosys Primus X-Series HSM is available in several performance levels up to 1200 RSA-4096 signatures per second (or 4000 RSA-2048 signatures per second respectively).
Due to its dynamic architecture, the Primus HSM is quantum computer ready. Should quantum computers make any of the supported algorithms to become obsolete, then a quantum computer safe algorithm may be installed through a firmware/software upgrade.
Primus X-Series HSMs are secure and tamper-proof network security appliances. They are ideally suited for high and highest availability systems. Multiple systems can be grouped together even across different location to provide load balancing and fail-over. In addition, each unit is equipped with two redundant power supplies (AC or DC) that are hot pluggable.
The Primus X-Series hardware security module can be configured with up to 120 partitions, each providing up to 240MB protected storage space. HSM operators have no limit on the number of users and clients, which can connect through Java (JCE/JCA), Windows (CNG, PKCS#11), and Linux (PKCS#11, openSSL).
Special care has been taken in the Primus X-Series HSM to detect and prevent tampering as well protect against side-channel attacks. The HSM is enclosed in a heavy aluminum casing with the critical portion additionally shielded. This results in essentially no electro-magnetic (EM) radiation. Multiple tamper sensors ensure proper operation and handling of the Primus X-Series HSM. If triggered, they will erase all key material. Moreover, these tamper sensors are also in operation when the HSM is unpowered. So, even during transport and storage, the HSM is protecting itself against any attempt to manipulate it and will notify its owner when powered up again.
The Primus X-Series HSM store cryptographic keys and provision encryption, decryption, authentication and digital signing services. They are essential to manage and provide protection for transactions, identities and applications.
Protect your sensitive data and transactions with industry-leading security in the highest performance HSM. Integrate the Primus X-Series Hardware encryption devices directly into environments for on-site data security.
Military grade security architecture
- Multi-barrier software and hardware architecture with supervision mechanisms
- 128/192/256 bit AES (GCM, CTR, ECB, CBC, MAC modes)
- 128, 192 and 256 bit Camellia (GCM, CTR, ECB, CBC, MAC modes)
- RSA 2048 – 8192 with PKCS, PSS and OEAP modes
- ECDSA 256 (mod-p curves, etc.), DSA 2048 – 4096
- ECDH 256, DH 2048 – 4096 • SHA-2, SHA-3 (224 – 512)
- Upgradeable to quantum computer safe algorithms
- Two high entropy hardware true random number generators
- Key capacity: in excess of 1’000’000 2048-bit keys
- Ultra-secure vault for long term keys and certificates
Multi Client/User/Partition Capability
- In excess of 100 partitions
Anti Tampering Mechanisms
- Several sensors to detect unauthorized access
- Enabled to destroy all key material and sensitive data
- Transport & multi-year storage tamper protection
- Local firmware update
- Multiple security officers (2 out of m)
- Identification based on Smartcard and PIN
Internet Protocol (IPv4, IPv6)
- JCE/JCA Provider
- MS CSP
- Enhanced test functions
- Event agent Device Management
- Configuration, monitoring and logging
- Firmware updating
Load Balancing/Fail Over
- Multiple units may be connected to provide
- High availability redundancy
- Load balancing by application software
|RSA 4096/s||ECC 521/s||AES (Mbit/s)|
*Performance limited by client connection
- 3 slots for Securosys Security Smartcards
- 4 LEDs for system and interface status (multicolored)
- Build in Liquid Crystal Display for management
- Panel for menu navigation and to trigger Built in Test Equipment (BiTE) and emergency erasure
- 4 Ethernet RJ-45 ports 1 Gbit/s (rear)
- 1 RS-232 management port (front)
- 1 USB management port (front)
- Two redundant hot pluggable power supplies,choice:
- 100…240 V AC, 50…60 Hz
- 36…75 V DC
- Power consumption: 75W
- Ultra capacitors for data retention
Safety Conformity (target)
- IEC 60950
- RoHS compliant
Electromagnetic Compatibility (EMC) (target)
- Radiation measured according to EN 55022
- Immunity: EN 55024
Environmental Test Specifications (target)
- Temperature ranges (IEC 60068-2-1 Ad, IEC 60068-2-2 Bd): storage -25…+70 °C; operation 0…+45 °C
- Humidity (IEC 60068-2-78 Cab): 40 °C, 93% RH, non-condensing, 10 days; 8 days in operation
- MTBF (RIAC-HDBU-217Plus) at tamb = 25 °C: 100 000 h
Dimensions (w × h × d)
- 400 x 88 x 367 mm (fits 2U 19” EIA standard rack)
Certification (under evaluation)
- FIPS140-2 Level 3
- CC EAL 4+