You're doing an amazing job of making difficult concepts easier to understand for those of us just starting off our cyber careers. Many thanks.

Again much appreciated your video! Just done my Security+ and I wish to learn so much more about HSM.

Great stuff explained very well!

Excellent video thanks!

It is what I'm looking for. Thank you

Very well presented, the perfect level of depth

This is phenomenal. I had the privilege of reading something similar, and it was absolutely phenomenal. "Mastering AWS: A Software Engineers Guide" by Nathan Vale

Thank you, great work!

Hi Adrian. Probably the best summary of how HSMs work from a high level. I currently perform staging/whitelisting of SQL Servers IP Addresses on nCipher RFS Servers. I understand the process pretty well, but, myself and other Engineers differ on how for instance, an nCipher HSM protects a SQL Server data encryption key (DEK). We are in meetings, and they all act like the SQL DEK is stored on the HSM. And my understanding in brief terms, goes like this: 1) SQL TDE DEK, is the key that encrypts the SQL Database file. 2) I stage the SQL Servers IP Addresses in both an HSM and RFS Config file (that the HSM will later call). 3) In order to integrate SQL Database Servers into nCipher HSM, they must first have the Entrust Security World software installed, and then the SQLEKM.dll I believe, via an Option Pack. 4) Once that's all setup, they will create some accounts, and an account that maps to the the SQLEKM.dll provider that's installed and setup on SQL Database. 5) ( THIS is where I need validation on how I think this truly works ): They will run some SQL queries to setup/create an Asymmetric Key, i.e. a call made to the SQLEKM Provider, which interfaces with the HSM. 6) The HSM Master key creates a KEK (Key Encryption Key) which is processed by the SQLEKM, and the KEK is used via the tdeLogin/tdeCredential while at the same time, being protected by the SQLEKM Provider in the Entrust (nShield or nCipher) HSM, to finally, encrypt the SQL TDE "DEK" or data encryption key, and hence, you have the HSM providing Key Management....Is my explanation somewhat close or am I off a bit? I really want to understand this process and be able to tell the guys at work, and per Entrusts documentation, that the TDEDEK Symmetric key is "created by the SQL Server and CANNOT be exported from the database, meaning it cannot be created or directly protected by the SQLEKM Provider (nShield or nCipher HSM). I'm hoping for a reply from you, and, am also hoping for more in-depth videos on Entrust (or other Vendor) HSMs and the in-depth ways the process truly works. Also interesting is it's use in PKI. That I would like to learn more as well. Thank you for your time!!

Such a great explanation 👏👏👏 . There is no such series for this. It would be great if you could make one Azure Managed HSM and how to implement it using terraform

thanks for the explanation!

This was exactly what I was looking for. Thanks.

Thanks for the easy explanation

This is great, thank you very much

Hey Adrian I just wanted to let you know that you have added HSM Pictures in tech fundamentals learning aid in associate solution architect cource GitHub repository . I was a bit confused when I found it while going through the learning aids and instantly came here to know what HSM means

Amazing explanation thanks a million! One thing here how we should integrate it with KMIP?

Great video! Which playlist should I watch to continue the HSM learning?

Lets say I want to store signing keys for the some tokens in HSM. Fist of all is this a good idea.? Second, if yes then does this not add latency to sign all tokens?

So what are some vulnerabilities to having a HSM?

Perfect 👍

how to make a data vault on top of HSM for storing credentials??

Does HSM store software keys?

HeyCeSem :)

Raspberi Pi's ??