Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Security and Encryption Guide
  3. Section III. Encryption of data at rest
  4. Hardware Security Module (HSM) support in NetBackup
  5. Overview of Hardware Security Modules (HSM)
NetBackup™ Security and Encryption Guide

Overview of Hardware Security Modules (HSM)

A Hardware Security Module (HSM) is a physical device designed to generate, store, and manage cryptographic keys securely. HSMs are tamper-resistant and provide a robust mechanism for safeguarding sensitive cryptographic data, including private keys, digital certificates, and authentication tokens.

Some of the key features of an HSM include:

  • Tamper resistance: HSMs are built to prevent unauthorized access and to wipe keys in case of physical tampering attempts.

  • Secure key generation and storage: Keys are generated within the HSM ensuring that they never leave the device in unencrypted form.

  • High-performance encryption: HSMs are optimized for performing cryptographic operations at high speed without compromising security.

To start with HSM usage in NetBackup, security artefacts of host ID credentials can be protected by HSM.

NetBackup leverages PKCS#11 version 2.40 to communicate with the HSM. This abstracts NetBackup from the HSM type that is being used and its hardware bindings (Software based HSM, USB, PCIe or networked) as long as the module (HSM) supports PKCS#11 version 2.40 for communication needs. NetBackup expects an HSM vendor to provide a dynamic library that provides PKCS#11 interface for interacting with HSM.

NetBackup leverages symmetric encryption algorithm that is exposed by HSM. Provisioning of such symmetry key in HSM module should be performed using methods and tools as recommended by HSM vendor.

Feedback

Was this page helpful?
Previous

Hardware Security Module (HSM) support in NetBackup

Next

Configuring Hardware Security Module on a NetBackup host

Feedback

Was this page helpful?