Data Security and Key Management - Thales e-Security

Remote HSM Manager


Remote HSM Manager

Centralize management of payment HSMs for lower costs, greater control

Remote HSM Manager from Thales e-Security enables organizations to streamline and centralize administration of Thales payment hardware security modules (HSMs) by supporting secure remote monitoring and management of these devices. Remote management reduces travel to data centers, centralizes control, facilitates delegation, and enables administrators and their organizations to achieve new levels of automation and efficiency. The result is dramatic reductions in operating costs.

Designed with the most stringent security requirements in mind, Thales Remote HSM Manager addresses two primary challenges faced by today’s organizations: how to securely manage payment HSMs across multiple data centers and how to accommodate the rising number of operations that must be performed. In the past, security policies demanded that an authorized administrator physically connect to an HSM via a “dumb terminal” or console to perform routine management tasks. Given multiple data centers—some with lights-out operation—today’s increasing workload often leads to more travel and higher costs. But with Thales Remote HSM Manager, once payment HSMs are initially installed, management tasks can be executed securely from a remote location using a graphical user interface (GUI). Beyond eliminating the time and cost of travel, the GUI streamlines operations by enabling faster execution of complex commands. Centralization reduces opportunities for insider security breaches while facilitating greater separation of duties. As a result, top security personnel can delegate more routine tasks while maintaining the high levels of security demanded in today’s payment ecosystem.

Benefits of Remote HSM Manager

  • Eliminates travel to data centers, reducing costs and accelerating operations.
  • Improves control through centralized management of payment HSMs.
  • Provides 24x7 access to payment HSMs.
  • Streamlines execution of common management tasks through an intuitive GUI.
  • Works with payShield 9000 and HSM 8000.


Remote HSM Manager Features

Security Features

  • Strong authentication during connection to the hardware security module (HSM) helps eliminate man-in-the-middle attacks, therefore providing a secure management session with all cryptographic keys protected by HSMs and/or secure smart cards at all times.
  • Data encryption on all communications between the management console and the HSM provides the necessary confidentiality when connecting across open networks.
  • Comprehensive access controls, down to the level of individual HSMs, provides high levels of flexibility for system administrators.
  • A secure PC/laptop boot technique eliminates the threats posed by viruses or malware resident on the remote management machine, avoiding the need to dedicate machines to remote management tasks.

Operational Features

  • All configuration and management tasks can be performed at a location remote from the data center, thereby saving time and money and providing on-demand access to HSMs.
  • A single Remote HSM Manager client can manage multiple HSMs in multiple data centers, eliminating most travel requirements.
  • The ability to create and manage logical groups of HSMs provides a flexible and secure way to segregate complex HSM environments into smaller manageable units assigned to dedicated security teams.
  • Flexible administration enables changes to HSMs and/or security personnel to be implemented quickly and securely.
  • One Remote HSM Manager can manage current and legacy Thales payment HSMs (i.e. payShield 9000 and HSM 8000), minimizing complexity and operating costs. 

Remote HSM Manager Options & Accessories


Remote HSM Manager Options

Remote HSM Manager Accessories

System Pack Software Upgrade

The Remote HSM Manager software application that runs on the remote PC/laptop is upgraded periodically to incorporate new features introduced in new payShield 9000 base software releases. The new software is supplied on a CDROM.

Additional Smart Cards


To address the needs of organizations that require more smart cards than are supplied as standard with the Remote HSM Manager system pack, additional packs of 10 Administrator and 10 Operator smart cards are available. The cards are configured at the Thales factory for use either as Operator or Administrator smart cards and are not interchangeable for security reasons.

Additional Smart Card Readers


The standard Remote HSM Manager system pack incorporates 3 smart card readers to facilitate normal operation of the system. In the event that a smart card reader is damaged or lost/stolen or that additional back-up units are required, Thales provides customers with the ability to purchase additional smart card readers that can be used with any Remote HSM Manager installation.

Remote HSM Manager Specifications

System configuration

  • HSM issued PKI-based credentials for mutual authentication
  • Creation and management of logical HSM groups
  • Role based access by security personnel (Administrators and Operators) enforced through personalized smart cards
  • Allocation of security personnel to individual HSMs for remote management purposes 

Remote device management capabilities

  • Online, offline, secure and authorized state operations with smart cards replacing physical keys from local management mode
  • Interface management enabling all host and management configurations to be controlled
  • Security configuration settings enabling the primary security parameters for the HSM to be configured
  • Loading of firmware and license files
  • Audit trail management
  • Status information providing insight into HSM security configuration and processing status and device utilization

Supported remote key management operations

  • Generate keys
  • Key import
  • Key export
  • Generate key components
  • Encrypt components
  • Form key from components
  • Local master key (LMK) management

Logical and physical security

  • Secure PC or laptop boot to lock down operating system environment
  • Strong mutual authentication for establishment of remote session
  • Encryption to protect all data using a mixture of 3DES and RSA algorithms

HSM compatibility

  • payShield 9000 with firmware version 1.0 or later
  • HSM 8000 with firmware version 3.1 or later

Remote HSM Manager Data Sheet

Related Product