Using HSM-protected encryption keys
In connection with (or as an alternative to) the Venafi Platform software key, Trust Protection Platform allows you to use AES encryption keys stored on SafeNet Luna SA and Entrust nShield devices to encrypt the certificate private keys, credential objects, and SSH keys. In addition, private code signing keys can be stored on SafeNet Luna SA and Entrust nShield devices, and code signing operations using those keys will be performed on those devices.
IMPORTANT If you elect to use a hardware security module (HSM) to protect your assets in Trust Protection Platform, you must ensure that you use your HSM vendor's documented method to back up the keys. In addition, if you use Venafi Platform software encryption, you should ensure the software key is backed up. For information on backing up the software key, see Backing up the software encryption key.