Abstract: A method may include receiving a request for a secure partition on an HSM from a client device and provisioning the secure partition on the HSM. The method may include generating a control server and a load balancer. The method may include generating, by a certificate service, a CSR signed by the certificate service. The method may include transmitting the CSR to the client device and receiving a first certificate including the public key of the first public private key pair and a private key of a second public private key pair. The method may include receiving a second certificate generated by an external certificate authority and signed with a public key of the second public private key pair. The method may include storing the first certificate and the second certificate on the secure partition in a location such that the second is accessible by the control server.

Abstract: A method may include receiving a request for a secure partition on an HSM from a client device and provisioning the secure partition on the HSM. The method may include generating a control server and a load balancer. The method may include generating, by a certificate service, a CSR signed by the certificate service. The method may include transmitting the CSR to the client device and receiving a first certificate including the public key of the first public private key pair and a private key of a second public private key pair. The method may include receiving a second certificate generated by an external certificate authority and signed with a public key of the second public private key pair. The method may include storing the first certificate and the second certificate on the secure partition in a location such that the second is accessible by the control server.

Abstract: A method of providing access to a hardware security module (HSM) partition may include receiving request for access to the HSM partition from a client device. The request may include a leaf certificate signed with a public key associated with a user and a secret key associated with the client device. The method may include verifying the request using the leaf certificate and a trust anchor certificate signed with a public key associated with the client device. The method may include a first connection between the HSM partition and the client device. The method may include verifying the request using the leaf certificate and an authentication certificate stored on the HSM partition. The method may include establishing a second connection between the client device and the HSM partition such that the computing system is isolated from the second connection.

Abstract: Techniques are described for replicating encryption keys using a write ahead log (WAL). An example method can include receiving a request from a user device to transmit encryption keys stored in a first virtual vault of a first hardware security module (HSM) of a first data center to a second virtual vault of a second HSM of a second data center, the request comprising an account identifier. The method can further include identifying a first account-specific WAL of a plurality of account-specific WALs based at least in part on the account identifier, each account-specific WAL corresponding to the first HSM, and configured to record changes to a respective virtual vault of the plurality of virtual vaults. The method can further include accessing the encryption keys from the first account-specific WAL of the first HSM. The method can further include transmitting the encryption keys to the second data center.

Abstract: A method may include receiving a request for a secure partition on an HSM from a client device and provisioning the secure partition on the HSM. The method may include generating a control server and a load balancer. The method may include generating, by a certificate service, a CSR signed by the certificate service. The method may include transmitting the CSR to the client device and receiving a first certificate including the public key of the first public private key pair and a private key of a second public private key pair. The method may include receiving a second certificate generated by an external certificate authority and signed with a public key of the second public private key pair. The method may include storing the first certificate and the second certificate on the secure partition in a location such that the second is accessible by the control server.

Abstract: A method of providing access to a hardware security module (HSM) partition may include receiving request for access to the HSM partition from a client device. The request may include a leaf certificate signed with a public key associated with a user and a secret key associated with the client device. The method may include verifying the request using the leaf certificate and a trust anchor certificate signed with a public key associated with the client device. The method may include a first connection between the HSM partition and the client device. The method may include verifying the request using the leaf certificate and an authentication certificate stored on the HSM partition. The method may include establishing a second connection between the client device and the HSM partition such that the computing system is isolated from the second connection.