Hardware security tokens specifically address the possibility that a malicious actor could obtain a copy of a legitimate owner’s private key and use it to sign malware. As the private key had been issued by a trusted Certificate Authority, this would allow malware to easily go undetected for a potentially long stretch of time and cause a huge amount of damage. Hardware security tokens generate an internal private key that is stored on a secure onboard chip, making it non-exportable. The token performs signing operations internally, which means there’s no file to steal, copy, or leak.
Hardware tokens are the current signature delivery mechanism of choice for Certificate Authorities issuing code-signing certificates. CAs ship pre-configured tokens with private keys on board, making the process of signing easy and foolproof.
Hardware Security Token vs. HSM
HSM stands for Hardware Security Module, which is a related but distinct form factor:
| Hardware Security Token | Hardware Security Module (HSM) | |
|---|---|---|
| Form Factor | Smart card or USB dongle | Rack-mounted appliance or cloud service |
| Use Case | Small developers | Enterprises, CAs, institutions |
| Price | Low | Organisation name |
| Example | SafeNet, Gemalto 5100/5110 | Azure Key Vault |
The key difference between a Hardware Security Module and a Hardware Security Token is in scale: both otherwise serve the same purpose and satisfy the same compliance standards.
Why is Hardware Storage Necessary?
Hardware key storage became a hard requirement as of June 2023, when the CA/Browser Forum enacted a new code-signing standardisation. While EV code signing certificates did have this requirement in place before, OV code signing certificates could be issued as downloadable files, meaning the private key was stored as an executable on the developer’s machine.
Now, all code signing certificates must have their private keys stored on hardware certified to one of the following standards:
FIPS 140-2 Level 2 by NIST
Common Criteria EAL 4+, which is an international security evaluation framework
These standards outline the minimum requirements for randomness generation, key storage, and resistance to physical tampering.
Azure Key Vault as an Alternative to HSMs
Cloud services can serve the same function as dedicated rack-mounted HSMs do, with Azure Key Vault as an example. For companies operating within the Microsoft Azure ecosystem, this is a viable alternative to purchasing and maintaining a bespoke appliance.
Azure Key Vault comes in Standard and Premium tiers, with the latter offering options to generate and store keys on dedicated HSM hardware. The signing workflow also integrates with Azure’s APIs, programmatically triggering signing operations without the key leaving Azure’s hardware context.
The main downside to relying on Azure Key Vault is operational: developers are dependent on cloud connectivity and must operate within Microsoft’s platform, with ongoing subscription costs.
To Summarize
A hardware security token is a tamper-resistant device that stores an issued cryptographic private key, making it easy to use and impossible to extract. All code signing certificates (both OV and EV) now necessitate dedicated FIPS 140-2 Level 2 or Common Criteria EAL 4+ compliant hardware, eliminating the risk of private key theft via file access. Physical USB tokens, rack-mounted HSMs, and cloud-based equivalents can be used to meet these requirements, depending on the user’s scale of operations and cost expectations.