What is an HSM?
A Hardware Security Module is a dedicated physical device that generates, stores, and manages cryptographic keys in a tamper-resistant environment. The private key used by a TSA to sign timestamps never leaves the HSM — all cryptographic operations happen inside the module. This makes key extraction virtually impossible, even with physical access to the device.
Certification requirements
Under eIDAS, qualified trust services must use HSMs that meet specific certification standards. The most common are Common Criteria EAL 4+ (European standard) and FIPS 140-2 Level 3 (US standard). These certifications verify that the HSM has been designed and tested to resist physical tampering, side-channel attacks, and software exploits.
HSM architecture for TSAs
A typical TSA deploys HSMs in redundant clusters for high availability. Each HSM contains the same signing key, loaded through a secure key ceremony. If one HSM fails, others continue signing timestamps without interruption. Load balancers distribute signing requests across the cluster. This architecture supports millions of timestamps per day.
Cloud HSM options
Major cloud providers now offer Cloud HSM services (AWS CloudHSM, Azure Dedicated HSM, Google Cloud HSM) that provide FIPS 140-2 Level 3 certified hardware in hosted data centres. Some QTSPs use these for geographic redundancy while maintaining qualification requirements. However, not all supervisory bodies accept cloud HSM deployments for qualified services.