A Hardware Security module (HSM) is a physical device that stores and manages secrets (typically private keys) and can execute cryptographic operations using the keys stored within. The secrets itself never leave the HSM, that way, sensitive data can be kept secure in an external, more controlled environment, decreasing the risks of compromising critical sensitive data.

A HSM can be accessed typically via PKCS#11 API. PKCS#11 is a standard that defines a platform-independent interface to cryptographic tokens, HSMs and smart cards. PKCS#11 API can be accessed using a driver/library provided by the OS or the device manufacturer.