Custom HSM

Custom HSM#

To support secure storage of the encryption key when encrypting SB3.1 and SB4.0 files, the HSM must support a CMAC operation.

We will use a simple Flash REST API application representing the HSM. In our setup, the HSM has 2 AES keys already deployed. We’ll accessing them using a key_id parameter.

  1. Setup

Run the following code to start the HSM application. Please note that this process has to run in the background (only close/stop this notebook once you’re done with the HSM operations)

from hsm.hsm import app

app.run(host="127.0.0.1", port=5010)

 * Serving Flask app 'hsm.hsm'
 * Debug mode: off

WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
 * Running on http://127.0.0.1:5010
Press CTRL+C to quit
127.0.0.1 - - [01/Aug/2025 17:09:20] "GET /api/cmac/0 HTTP/1.1" 200 -