Introducing HSMs

Since 2020, we’ve championed multi-party computation (MPC) as the most secure and resilient way to protect private keys. That belief remains strong, but our vision has expanded. Dfns is evolving from a preconfigured security stack into a wider orchestration platform: an operating system that lets clients choose the cryptographic methods that best match their risk and compliance needs.

Our MPC-based key management service has secured wallets for leading fintechs, PSPs, exchanges, and custodians. But as institutional adoption grows, we’re seeing a major shift: organizations want more control over how and where their keys are managed, driven in large part by regulatory requirements. Whether it’s due to compliance rules, internal IT policies, or national laws, a one-size-fits-all MPC cloud stack, even with its resilience and distributed architecture, isn’t always enough.

That’s why we’re launching our HSM Service: a new capability that lets any Dfns client run our programmable wallet infrastructure using their own Hardware Security Modules (HSMs). This means private keys can be stored securely in FIPS certified hardware—on-premises, in the cloud, or in any location they choose—whether for internal use or for end-users.

Our first release starts native support for the IBM Crypto Express HSM. This means IBM Z and LinuxONE clients can now access blockchains and digital asset rails without changing their existing IBM HSM, while benefiting from the same transaction lifecycle management service, identity and access management, and developer tools that power the Dfns blockchain wallet infrastructure.

Why Hardware Security Modules and why now?

HSMs have long been the gold standard for high-security cryptographic operations and still are. Certified under NIST standards, such as FIPS 140-2 and -3, these devices are purpose-built to generate, store, and use cryptographic keys without ever exposing them to external memory. Enterprise security teams already rely on them to protect sensitive assets like card payment keys, TLS certificates, public key infrastructure (PKI) roots of trust, and more. Banks, payment companies, government agencies, custodians and large corporations have been using HSMs for years to protect authentication credentials and digital signing keys. But connecting HSMs to blockchain workflows, especially at scale, has been difficult:

• Blockchain signatures use different formats than traditional systems
• Signing flows don’t match blockchain transaction models
• Each HSM vendor has its own SDK with different APIs and behaviors
• HSM infrastructure often sits outside existing key orchestration systems

Our HSM Service fixes that. By bridging through PKCS#11 standard interface, our service allows certified HSMs to work seamlessly with the Dfns wallet platform, just like our cloud-based MPC clusters. Key operations like generation, signing, and backup all happen through the same off-the-shelf PKCS#11 libraries. If your HSM supports the standard, it can now access any blockchain. What this unlocks:

• Vendor agnostic support: One integration covers all FIPS-certified HSMs.
• Faster deployments: Prebuilt connectors mean you’re live in days—not months. No need for custom-built adapters like those used by Fireblocks' “Key Link.”
• Unified governance: The same Dfns policies, approvals, and audit trails work across MPC and HSM infrastructure. Nothing changes in your control panel.

This launch is part of a bigger shift. Dfns is becoming a flexible orchestration layer, not just an MPC wallet. You decide how keys are stored and protected: MPC, HSM, TEE, or any mix. We handle the routing, signing, auditing, and developer-facing APIs. The result is a single, unified wallet infrastructure that adapts to your operational, compliance, and risk needs.

Starting with IBM Crypto Express HSM

We’re launching our HSM Service with native support for the IBM Crypto Express HSM, a high-assurance cryptographic module purpose-built for regulated environments. Crypto Express is IBM’s dedicated HSM, a secure hardware card that fits into IBM mainframes (like IBM Z and LinuxONE). It's responsible for cryptographic operations and secure key storage. Think of it as the digital vault used to generate, store, and use private keys in a physically and logically secure environment. This lets banks and financial market infrastructures use Dfns’ programmable wallet infrastructure while remaining fully inside their existing IBM compliance perimeter—on-premises, in the cloud, or across jurisdictions.

By connecting Dfns’ wallet orchestration system to IBM’s secure boundary, financial institutions gain the ability to securely store and manage private keys without needing to modify their architecture. This means:

• Full support for PKCS#11, making integration with IBM Crypto Express seamless and standards-based.
• No changes to existing workflows. Dfns’ wallet APIs integrate natively with the HSM, so institutions can adopt digital asset capabilities without reengineering internal systems.
• All core Dfns wallet services, including transaction handling, access policies, logging, and webhooks, work out of the box with the HSM.
• Quantum-safe cryptography support, future-proofing security infrastructure for the post-quantum era.
• Secure key management fully within IBM’s compliance and control perimeter, minimizing operational risk and audit overhead.

What makes IBM Crypto Express HSM best-in-class

IBM’s Crypto Express (CEX) is more than just an HSM, it’s a highly programmable, tamper-sensing and tamper-responding cryptographic card that delivers:

• FIPS 140-2 Level 4 certification, among the highest available standards for HSM security.
• Concurrent firmware updates, meaning institutions can patch and upgrade security logic without taking the system offline.
• Support for multiple operating modes, including accelerator, Common Cryptographic Architecture (CCA) coprocessor (for IBM native crypto operations), and enterprise PKCS#11 (EP11) coprocessor (for open-standard applications).
• Advanced virtualization, allowing up to 85 logical partitions per adapter (on models A01/LA1), making it ideal for multi-tenant, multi-asset infrastructures.
• User-Defined Extensions (UDX), enabling custom cryptographic logic to be embedded directly in firmware.
• Secure boot and secure code loading, ensuring that only IBM-signed firmware can run on the HSM.

Extending on-premises capabilities in hybrid architectures

As a next step, we’re expanding our integration with the IBM ecosystem by adding support for services like Offline Signing Orchestrator (OSO) and Hyper Protect Virtual Servers (HPVS). These capabilities will allow companies and institutions to design and deploy hybrid custody systems, where different classes of digital assets can be managed across segmented, policy-driven compute environments, designed to meet the specific compliance, latency, and security needs of each use case.

With OSO, institutions gain the ability to manage offline and air-gapped signing workflows, enabling full digital asset custody and transaction approval in physically isolated environments. This is especially critical for adhering to national financial regulations that mandate strict operational segregation, such as cold storage requirements for digital assets, or sovereign control over cryptographic materials.

At the same time, HPVS offers a highly secure, cloud-native runtime environment built on IBM Z and LinuxONE. It provides end-to-end encryption, secure enclave isolation, and root-of-trust guarantees from the hardware layer up. This allows institutions to deploy programmable wallets and signing infrastructure in trusted cloud environments, without sacrificing confidentiality, integrity, or compliance.

Together, these services unlock new levels of deployment flexibility:

• Assets that require air-gapped protection can be handled by OSO.
• Assets that benefit from automated orchestration and scaling can run on HPVS.
• All of it is managed through a unified Dfns orchestration layer that preserves policy control, logging, and key segregation across environments.

By enabling this kind of asset-specific infrastructure optimization, we’re helping regulated institutions operate within strict legal frameworks, without compromising on security, scalability, or operational agility.

Our HSM abstraction layer is also being extended to support other major vendors, ensuring that our wallet infrastructure can run on any hardware, in any jurisdiction, under any compliance regime. We’re proud to offer this first capability to IBM’s global enterprise customers, and help bridge the gap between traditional financial security models and modern digital asset operations. More to come soon.

Regulatory and jurisdictional compliance

In many countries, using HSMs is a strong legal requirement. Financial institutions and digital asset custodians are often required to store cryptographic keys within national borders, ensure those keys can be seized under local court orders, and avoid relying on infrastructure that doesn't meet local compliance standards. This is especially true in places like:

• Turkey, where MASAK requires digital financial institutions to keep data and keys on local soil
• United Arab Emirates, where VARA and ADGM demand that service providers maintain physical control of cryptographic systems
• Singapore, where MAS regulations emphasize local key control and auditability
• Hong Kong, where HKMA licensing often depends on HSM-based custody hosted domestically
• South Korea, where the FSC enforces strict rules on localization and audit trails for crypto custody

The Dfns HSM Service is designed to meet these needs. It allows regulated institutions to register their own devices, and still benefit from Dfns’ programmable wallet platform with all its security features.

Get started today with Dfns HSM Service

Our HSM service opens a new chapter for Dfns, one that puts flexibility at the center of key management. Whether you use MPC, HSMs, a traditional KMS, or a mix of all three, our platform now lets you manage every cryptographic operation through a single, programmable interface. That means you can build, scale, and secure your digital asset products without compromise.

Once your HSM is registered and connected to Dfns, you’ll be running your digital asset stack with your own hardware—no rewrites, no vendor lock-in, and full control over your keys. This launch gives IBM and Dfns customers more choice over where keys are stored, how they’re accessed, and how they're secured, without giving up speed, flexibility, or interoperability. Everything continues to work just like it does with our MPC wallets. Explore the docs or contact our solutions team to get started today.