Bring Your Own HSM Into QNSI

Use a customer-managed HSM (Thales Luna, Entrust nShield, Utimaco u.trust, AWS CloudHSM, Azure Dedicated HSM, Google Cloud HSM, IBM Cloud HSM, or Marvell LiquidSecurity) as the root of trust for QNSI KMS. Sign/wrap operations stay inside the customer HSM boundary; QNSI never holds the root.

60 minTime to first PQC

CLIPrimary SDK

3Services used

BYOH HSM Integration →

PQC Key Management (KMS) →

Audit Service →

Register a Thales Luna PCIe HSM as the root of trustbash

# 1. Install the QNSI CLI
brew install heossi/tap/qnsp

# 2. Authenticate
qnsp auth login

# 3. Register the HSM (PKCS#11 module + slot)
qnsp hsm register \
  --vendor thales-luna \
  --pkcs11-module /usr/safenet/lunaclient/lib/libCryptoki2_64.so \
  --slot 0 \
  --label "prod-root-of-trust"

# 4. Generate an ML-DSA-87 root key inside the HSM (never exits)
qnsp hsm key-gen \
  --hsm prod-root-of-trust \
  --algorithm ml-dsa-87 \
  --label "qnsp-root-key-v1"

# 5. Tie the QNSI tenant root to that HSM key
qnsp tenant set-root-key --hsm-key qnsp-root-key-v1

Defense & national security →

Government & sovereign cloud →

Regulated finance →

Get a free API key Back to all patterns Full API reference

Stack

Real code, real SDK calls

Get an API key and start building