An HSM, or Hardware Security Module, is a specialised security device used to protect cryptographic keys and support controlled signing operations.
In institutional custody, HSMs are used as part of a broader security architecture. They help protect sensitive cryptographic material and ensure that signing activity is performed through controlled, governed processes rather than through direct user access to private keys.
Why are HSMs used in custody?
HSMs are designed to protect cryptographic operations in high-security environments.
In a custody context, HSMs can support:
- Secure generation or protection of key material
- Controlled transaction signing
- Separation between user access and key access
- Operational governance around signing activity
- Protection against unauthorised key use
- Stronger control over sensitive cryptographic workflows
An HSM is one component of a custody security model. It works alongside user roles, approval workflows, quorum rules, infrastructure controls, monitoring, and operational procedures.
Do users interact directly with HSMs?
In normal BE Custody workflows, users do not interact directly with HSMs.
Users access BE Custody through approved product interfaces such as BE Custody Web, the Bitpanda Custody iOS app, or approved integration channels. Signing and approval workflows are controlled through the organisation’s configured roles, permissions, and governance model.
Private keys are not displayed to users through BE Custody Web or the Bitpanda Custody iOS app.
Does an HSM replace approval controls?
No. An HSM protects cryptographic operations, but it does not replace operational approval controls.
Institutional custody requires both technical and governance controls. For example, an organisation may use role-based access, quorum approval, policy controls, and internal review processes to determine whether a signing action should be authorised.
The HSM supports secure signing, while approval workflows help determine whether signing should proceed.
Are all HSM setups the same?
No. HSM deployment models can vary depending on the custody setup, service model, infrastructure requirements, and operational configuration.
The exact architecture and responsibilities may differ between organisations and deployment models. Public Help Centre articles provide high-level guidance only and do not describe sensitive implementation details.
Where required, Bitpanda Enterprise Custody can provide appropriate technical, security, or due diligence information through approved review channels.
What should organisations consider?
Organisations evaluating or using institutional custody should consider how HSM-based controls interact with broader governance requirements, including:
- User roles and permissions
- Transaction approval workflows
- Quorum requirements
- Governance change processes
- Operational separation of duties
- Audit and reporting expectations
- Incident escalation procedures
- API and integration controls, where applicable
Why are some HSM details not published?
Some HSM and security architecture details are not published in the Help Centre because they may be sensitive.
Publishing detailed information about infrastructure, signing flows, key lifecycle procedures, or security controls could reduce the effectiveness of those controls. More detailed information may be shared through approved commercial, security, legal, compliance, or due diligence processes where appropriate.