Utimaco SecurityServer Se Gen2

Utimaco — SecurityServer Se Gen2

Common Models

• SecurityServer Se Gen2 as LAN appliance or PCIe card (u.trust GP HSM Se-Series). Interfaces: PKCS#11, CNG/CSP/SQLEKM, JCE. Securemetric+2crypto-store.net+2

FIPS Status

• Se Gen2 (CryptoServer Se-Series Gen2): FIPS 140-2 Level 3 validated. NIST Computer Security Resource Center
• Path to FIPS 140-3: Utimaco states FIPS 140-3 Level 3/4 “in progress” for the Se-Series GP HSM line; we map workloads and plan phased cutovers as certificates publish. utimaco.com+1

PQC (Post-Quantum) Support

• Mechanism: Crypto-agile firmware extensions for PQC on GP HSMs; Utimaco indicates support for NIST-selected schemes (Kyber/ML-KEM, Dilithium/ML-DSA) and hash-based (HSS/XMSS). We design dual-stack rollouts so classical (RSA/ECDSA) and PQC live side-by-side during migration. utimaco.com+2utimaco.com+2

Dual Private-Key Format Support (Seed vs Expanded)

• Context: PQC introduces two private-key representations—compact seeds (≈tens of bytes) vs expanded keys (≈1.6–4 KB). Industry work is moving toward seed-centric PKCS#12 profiles, affecting storage/backup/interchange.
• What we implement on Se Gen2:
  • Seed custody in HSM: Store seeds as high-assurance objects; control export with dual control/split knowledge and partition policy.
  • Deterministic re-derivation in hardware: Materialize expanded keys from seeds inside the module for KEM/signing—no need to persist large keys when policy forbids it.
  • Expanded-key import & lifecycle: Where apps require expanded keys, import/wrap into the SecurityServer with labels, rotation, archival, and FIPS-approved configuration. Securemetric
  • Backup & portability: HSM-wrapped seed objects (and, if necessary, expanded keys) with tamper-evident ceremonies; runbooks to migrate from traditional PFX to seed-centric custody as standards finalize.

How SafeCipher Helps (Procure • Deploy • Support)

• Procurement & contracts: Sizing, quotes, spares/RMA, co-termed renewals; roadmap planning for FIPS 140-3 transitions. utimaco.com
• Deployment & integration: HA/cluster design, client toolchains (PKCS#11/CNG/JCE), KMIP/KMS patterns, firmware governance, and performance tuning for LAN/PCIe form factors. Securemetric+1
• Operations: 24×7/BH support options, monitoring, seed/expanded-key ceremonies, backup/escrow, audit-ready evidence, and crypto-agility playbooks for PQC pilots. utimaco.com

Bottom line

Whichever HSM or crypto platform you choose, we can help you buy it right, deploy it right, and keep it right—without locking you to a single vendor