Crypto4A QxHSM

Crypto4A QxHSM

Common Models / Form Factors

• QxHSM next-gen, network-attached HSM in a modular blade form factor; designed for crypto-agility and quantum-safe operations. Unlimited client licenses, clustering, quorum authorization. Quantum Safe Hardware Security Modules+1

FIPS Status

• Current: QxHSM marketed as FIPS 140-2 Level 3+ capable (deployed in FIPS-approved configuration). Quantum Safe Hardware Security Modules
• 140-3 track: Crypto4A’s QASM (the cryptographic module underpinning QxHSM) has been submitted for FIPS 140-3 Level 3 with full NIST PQC algorithm coverage (FIPS 203/204/205 & LMS). We plan phased cutovers as validations publish. Quantum Safe Hardware Security Modules+2PR Newswire+2

PQC (Post-Quantum) Support

• Platform support: QxHSM platform software 4.4 adds official support for NIST PQC algorithms (ML-KEM/Kyber, ML-DSA/Dilithium; with crypto-agility for others like LMS). DigiCert documents PQC integrations using QxHSM in PKI/CLM stacks. We design dual-stack rollouts so classical (RSA/ECDSA) and PQC co-exist during migration. Quantum Safe Hardware Security Modules+2Quantum Safe Hardware Security Modules+2

Dual Private-Key Format Support (Seed vs Expanded)

• Context: PQC introduces two representations—compact seeds (~tens of bytes) and expanded private keys (~1.6–4 KB). Seed-centric custody impacts backup, portability, and PKCS#12 profiles now being refined by standards bodies.
• What we implement on QxHSM estates:
  • Seed custody inside the HSM: Store seeds as high-assurance objects; apply dual control/split knowledge and policy tags.
  • Deterministic re-derivation in hardware: Materialize expanded keys from seeds inside the QxHSM/QASM boundary for KEM/signing, avoiding persistent storage of large keys when policy forbids it.
  • Expanded-key import & lifecycle: Where apps require expanded keys, import/wrap under FIPS-approved configuration with labeling, rotation, and archival controls.
  • Backup & portability: HSM-wrapped seed objects (and, if necessary, expanded keys) with tamper-evident ceremonies; runbooks to shift from traditional PFX to seed-centric custody as seed-only PKCS#12 profiles finalize.
    (Crypto4A collateral emphasizes quantum-safe design, sectorization/partitioning, and QASM module assurance.) Quantum Safe Hardware Security Modules+1

How SafeCipher Helps (Procure • Deploy • Support)

• Procurement & contracts: Sizing, pricing, spares/RMA logistics, co-termed renewals; roadmap planning for FIPS 140-3 transition of QxHSM/QASM. Quantum Safe Hardware Security Modules
• Deployment & integration: Cluster design, client stacks (PKCS#11/CNG/JCE), PKI/code-signing/data-protection onboard, and performance tuning; we enforce FIPS-approved modes and crypto-agility settings. Quantum Safe Hardware Security Modules
• Operations: 24×7/BH support options, monitoring/telemetry, seed/expanded-key ceremonies, backup/escrow, and auditor-ready evidence packs; we also coordinate with ecosystem partners (e.g., DigiCert) for PQC-ready PKI. docs.digicert.com

Bottom line

Whichever HSM or crypto platform you choose, we can help you buy it right, deploy it right, and keep it right—without locking you to a single vendor