Files
Anthropic-Cybersecurity-Skills/skills/configuring-hsm-for-key-storage/SKILL.md
T
mukul975 cb8d79e068 Map all 754 skills to MITRE ATT&CK v19.1
- Add validated mitre_attack frontmatter to all 754 skills (286 distinct
  techniques), verified against MITRE ATT&CK v19.1 via the official
  mitreattack-python library: 0 revoked, deprecated, or invalid IDs
- Curate precise per-skill technique IDs for forensics, malware-analysis,
  threat-intel, and red-team skills (e.g. DCSync -> T1003.006,
  Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003)
- Reconcile v19.1 tactic restructuring: Defense Evasion split into
  Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.*
  family and T1070.001/.002 remapped to active equivalents (T1685.*)
- Normalize word-split tags across 35 skills (remove filename-derived
  stopword tags, add semantic cybersecurity tags)
- Add api-reference.md for 3 skills that were missing it
- Update README ATT&CK section with accurate v19.1 tactic distribution
2026-06-01 12:13:29 +02:00

3.7 KiB

name, description, domain, subdomain, tags, version, author, license, nist_ai_rmf, atlas_techniques, nist_csf, mitre_attack
name description domain subdomain tags version author license nist_ai_rmf atlas_techniques nist_csf mitre_attack
configuring-hsm-for-key-storage Hardware Security Modules (HSMs) are tamper-resistant physical devices that safeguard cryptographic keys and perform cryptographic operations in a hardened environment. Keys stored in an HSM never lea cybersecurity cryptography
cryptography
hsm
key-management
pkcs11
hardware-security
1.0 mahipal Apache-2.0
MEASURE-2.7
MAP-5.1
MANAGE-2.4
AML.T0070
AML.T0066
AML.T0082
PR.DS-01
PR.DS-02
PR.DS-10
T1552.004
T1555
T1078

Configuring HSM for Key Storage

Overview

Hardware Security Modules (HSMs) are tamper-resistant physical devices that safeguard cryptographic keys and perform cryptographic operations in a hardened environment. Keys stored in an HSM never leave the device boundary, providing the highest level of key protection. This skill covers configuring HSMs using the PKCS#11 standard interface, including key generation, signing, encryption, and key management using both physical HSMs and SoftHSM2 for development.

When to Use

  • When deploying or configuring configuring hsm for key storage capabilities in your environment
  • When establishing security controls aligned to compliance requirements
  • When building or improving security architecture for this domain
  • When conducting security assessments that require this implementation

Prerequisites

  • Familiarity with cryptography concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities

Objectives

  • Configure SoftHSM2 as a development PKCS#11 provider
  • Generate and manage keys inside the HSM via PKCS#11
  • Perform cryptographic operations (sign, verify, encrypt, decrypt) using HSM-resident keys
  • Implement HSM-backed certificate authority operations
  • Configure key access policies and user authentication
  • Interface with cloud HSM services (AWS CloudHSM, Azure)

Key Concepts

HSM Compliance Levels

FIPS Level Protection Use Case
FIPS 140-2 Level 1 Software only Development
FIPS 140-2 Level 2 Tamper-evident, role-based auth General production
FIPS 140-2 Level 3 Tamper-resistant, identity-based auth Financial, government
FIPS 140-2 Level 4 Physical tamper response Military, classified

PKCS#11 Architecture

Application --> PKCS#11 API --> HSM Provider --> Hardware HSM
                                    |
                              (SoftHSM2 for dev)

Key Objects in PKCS#11

Object Type Description Operations
CKO_SECRET_KEY Symmetric keys (AES) Encrypt, Decrypt, Wrap
CKO_PUBLIC_KEY Public keys (RSA, EC) Verify, Encrypt, Wrap
CKO_PRIVATE_KEY Private keys (RSA, EC) Sign, Decrypt, Unwrap
CKO_CERTIFICATE X.509 certificates Storage, retrieval

Security Considerations

  • Never export private keys from HSM (use CKA_EXTRACTABLE=False)
  • Use separate slots/partitions for different applications
  • Implement multi-person key ceremony for CA root keys
  • Enable audit logging for all HSM operations
  • Implement HSM backup and disaster recovery
  • Use strong PINs and enable SO (Security Officer) PIN

Validation Criteria

  • SoftHSM2 initializes with token and user PIN
  • AES key generates inside HSM
  • RSA key pair generates inside HSM
  • Encryption/decryption uses HSM-resident keys
  • Signing/verification uses HSM-resident keys
  • Keys cannot be exported (non-extractable)
  • Key listing shows all HSM-stored objects