Migration to a Hardware Security Module (HSM)

Encrypting data provides an additional layer of security to the user. Data is encoded in such a way that only authorized parties can read the content. When upgrading OneSpan Authentication Server (3.10 or later), it is possible to migrate encrypted data from a software security module (SSM) to an hardware security module (HSM) installation. The HSM stores the encryption key usually on an external device that attaches directly to a computer or network server. It is equipped with tamper detection mechanisms, thus making it more secure than SSM installations, where the encryption key is stored within the software.

You cannot migrate from a source system that is using hardware security module (HSM) infrastructure!

To install and migrate encryption keys

1. On the HSM Migration page of the Configuration Wizard, specify the HSM type.
2. Once the connection to the HSM library is established, configure the keys in OneSpan Authentication Server.
3. Start rotation from SSM to HSM keys in the OneSpan Authentication Server Administration Web Interface, to effectively migrate to HSM.

The migration from an SSM to an HSM deployment is not revertible; migrating back to an SSM deployment is not possible!

Only when the key rotation has finished, the migration from SSM to HSM will be completed.

For more information refer to the OneSpan Authentication Server Installation Guide for Linux or the OneSpan Authentication Server Installation Guide for Windows (as applicable), Section "Configuring OneSpan Authentication Server (Upgrade)".