IBM HSM Products

What is an HSM? An HSM is a Hardware Security Module, a general-purpose computing environment that withstands both physical and logical attacks and has special hardware to perform cryptographic operations and protect keys. The HSM is accessed from a host computer system using a carefully-designed set of API functions. The API functions may be generic, or they may be designed to meet the special requirements of particular industries such as banking and finance.

The device must run the programs that it is supposed to run, with confidence that those programs have not been modified. You must be able to (remotely) distinguish between the real device and application, and a clever impersonator.

The HSM must remain secure even if adversaries carry out destructive analysis of one or more devices. Many servers operate in distributed environments where it is difficult or impossible to provide complete physical security for sensitive processing. In some applications, the motivated adversary is the end user. You need a device that you can trust even though you cannot control its environment.

Diagram of computing environment utilizing a Hardware Security Module, showing flow through the Cryptographic engines.

Cryptography is an essential tool in secure processing. When your application must communicate with other distributed elements, or assert or ascertain the validity of data that it is processing, you will find cryptography an essential tool. IBM HSMs will fit your needs for secure cryptographic hardware.

IBM Systems currently offers three high-end, high-performance hardware security modules (HSMs) which provide a flexible solution suitable for high-security processing and cryptographic operations to address your cryptographic needs. The latest generation and fastest of the IBM cryptographic coprocessor family of PCIe cards with a multi-chip embedded module is the IBM 4769 (CryptoExpress7S, or CEX7S). Its predecessors are the IBM 4768 (CEX6S) and the IBM 4767 (CEX5S). Earlier predecessors include the IBM 4765, 4764, and 4758, which are no longer sold by IBM.

Interested in learning more about the IBM HSMs?

Cryptographic APIs for IBM HSMs

The IBM HSM can support one of two different cryptographic APIs, and you can reload your HSM firmware at any time to switch from one to the other.

The first is CCA, the IBM Common Cryptographic Architecture. IBM has offered CCA since the introduction of its first HSM products in 1989, and it is used by many systems. CCA provides a general-purpose set of cryptographic functions, but its main strength is in support of finance industry payments applications. The second is IBM Enterprise PKCS #11 (EP11). This is a newer addition to the IBM HSM, but it provides the de-facto industry standard PKCS #11 API which is used by a wide variety of software written by many companies. EP11 offers a wide variety of general-purpose, secure-key only cryptographic functions.

As implied above, your choice between CCA and EP11 may be dictated by the applications you plan to use with the HSM. Your choice may also be driven by preferences or experience in your organization. For example, if your programmers have used one of the two APIs before, they may prefer to go in that same direction for a new application.


If your application is for payment systems or other related banking operations, you should choose CCA.


If your application is written to use the industry-standard PKCS#11 API functions, you should choose EP11.

CCA / EP11 Comparison

If neither of the previous conditions apply to you, either CCA or EP11 may meet your requirements if the necessary cryptographic functions are supported. While both support most common cryptographic functions, there are differences.