Bring Your Own HSM Into QNSP

Use a customer-managed HSM (Thales Luna, Entrust nShield, Utimaco u.trust, AWS CloudHSM, Azure Dedicated HSM, Google Cloud HSM, IBM Cloud HSM, or Marvell LiquidSecurity) as the root of trust for QNSP KMS. Sign/wrap operations stay inside the customer HSM boundary; QNSP never holds the root.

60 minTime to first PQC

CLIPrimary SDK

3Services used

BYOH HSM Integration →

PQC Key Management (KMS) →

Audit Service →

Register a Thales Luna PCIe HSM as the root of trustbash

# 1. Install the QNSP CLI
brew install cuilabs/tap/qnsp

# 2. Authenticate
qnsp auth login

# 3. Register the HSM (PKCS#11 module + slot)
qnsp hsm register \
  --vendor thales-luna \
  --pkcs11-module /usr/safenet/lunaclient/lib/libCryptoki2_64.so \
  --slot 0 \
  --label "prod-root-of-trust"

# 4. Generate an ML-DSA-87 root key inside the HSM (never exits)
qnsp hsm key-gen \
  --hsm prod-root-of-trust \
  --algorithm ml-dsa-87 \
  --label "qnsp-root-key-v1"

# 5. Tie the QNSP tenant root to that HSM key
qnsp tenant set-root-key --hsm-key qnsp-root-key-v1

Defense & national security →

Government & sovereign cloud →

Regulated finance →

Get a free API key Back to all patterns Full API reference

Stack

Real code, real SDK calls

Get an API key and start building