Securosys HSM Integration

Dfns now supports Securosys Hardware Security Modules (HSMs) for blockchain wallets and key management. We are continuing to expand programmable wallet infrastructure into the most secure hardware environments used by financial institutions today. With this integration, Dfns natively connects to Securosys Primus HSMs, allowing institutions to extend their existing cryptographic security perimeter to digital asset operations.

For organizations already relying on Securosys to secure payment credentials, PKI systems, or interbank settlement infrastructure, this integration enables blockchain key management within the same certified boundary. Dfns provides the orchestration layer on top, including key generation, transaction signing, and full transaction lifecycle management, whether deployed on-premises or through Securosys’ globally distributed CloudHSM service.

This integration reflects a broader shift in Dfns’ architecture. We are evolving into a cryptographic orchestration layer that sits between secure hardware and blockchain networks, abstracting complexity while preserving control. Whether you use Securosys, Thales, or IBM HSMs, Dfns provides a single interface for wallet creation, transaction execution, and policy enforcement across all environments.

Extending secure hardware to blockchain systems

With Securosys, institutions can maintain strict control over where keys are generated, stored, and used. This includes fully on-premises deployments, jurisdiction-specific setups, or Securosys’ CloudHSM infrastructure hosted across Switzerland, Germany, the United States, and Singapore.

This model ensures that infrastructure decisions remain flexible while security boundaries remain intact. The cryptographic backend becomes a deployment choice rather than a system constraint.

This integration enables:

• Vendor-agnostic infrastructure. Institutions can choose the HSM vendor that meets their compliance, sovereignty, and operational requirements, while relying on Dfns for consistent wallet behavior across environments.
• Faster go-lives. Securosys support is available out of the box, removing the need for custom integrations or multi-month deployment cycles.
• Unified governance. The same access control policies, approval workflows, and audit logs apply across MPC and HSM-based environments.
• Sovereign key control. Keys remain within controlled environments, whether on-premises or within Securosys’ Swiss-hosted CloudHSM, with full control over their lifecycle and location.

How the integration works

Dfns integrates with Securosys through the PKCS#11 standard, the industry interface supported by all major HSM vendors. This ensures compatibility without requiring custom middleware, adapters, or changes to existing transaction flows.

Dfns handles all blockchain-specific logic, including derivation paths, transaction serialization, signature normalization, and chain-specific encoding. The HSM is responsible only for cryptographic operations such as ECDSA (secp256k1) and EdDSA (Ed25519). This separation keeps the HSM focused on secure computation while Dfns manages blockchain complexity.

The integration includes:

• Standard PKCS#11 connectivity, using the Securosys Primus provider library (libprimusP11.so) without custom plugins or SDK modifications.
• AES-GCM key wrapping, where private keys are wrapped inside the HSM using a root AES key, exported and stored externally. Raw key material is never exposed.
• Performance-optimized session handling, with a dedicated HSM thread and connection pooling designed for the latency profile of cloud-hosted HSM environments.
• Multi-tenant support, with isolated partitions per customer, each acting as an independent cryptographic domain with its own keys, policies, and access controls.

Dfns supports wallets across Ethereum, Bitcoin, Solana, Aptos, Polygon, Tron, and more than 50 additional blockchain networks.

Why Securosys

Securosys is a Swiss manufacturer of high-assurance cryptographic hardware, designed, developed, and produced entirely in Switzerland. Their HSMs are used to secure critical infrastructure for central banks, payment systems, government agencies, and regulated financial institutions.

Notably, Securosys HSMs secure Switzerland’s national real-time gross settlement system, the Swiss Interbank Clearing (SIC) platform, which processes over CHF 100 billion daily under the supervision of the Swiss National Bank. In 2024, SIX Interbank Clearing renewed its partnership with Securosys for another ten years, citing its fully Swiss-built architecture and no-backdoor design.

Their hardware is certified at FIPS 140-2 Level 3 (FIPS 140-3 Level 3 in process) and Common Criteria EAL4+, augmented with AVA_VAN.5, the highest level of penetration testing. Their latest CyberVault generation introduces post-quantum cryptography (PQC) capabilities, including ML-DSA, ML-KEM, and SLH-DSA, enabling hybrid classical and PQC operations today.

Several capabilities are particularly relevant for digital asset infrastructure:

• CloudHSM infrastructure, globally distributed with geographically separated nodes and disaster recovery hosted in a former military bunker in the Swiss Alps.
• Smart Key Attributes (SKA), a hardware-level policy engine enforcing quorum approvals, time-locked execution, and per-key governance rules directly within the HSM.
• High partition density, supporting up to 1,000 partitions per HSM, enabling true multi-tenant isolation and flexible deployment architectures.
• Post-quantum readiness, allowing institutions to begin transitioning to PQC without disrupting existing workflows.

One wallet platform, multiple deployment models

Dfns has validated this integration across Securosys CloudHSM environments, including primary Swiss-based API endpoints. The same PKCS#11 interface and driver are used across both cloud and on-premises deployments, allowing Dfns Key Orchestration Service (KOS) to operate consistently regardless of infrastructure setup. This means institutions can start with one deployment model and evolve over time without changing their application layer, transaction flows, or governance systems.

For organizations already using Securosys to secure sensitive infrastructure, Dfns provides a direct extension into blockchain systems without requiring architectural changes. There is no need to rebuild internal tooling, compromise on deployment flexibility, or introduce additional operational complexity.

By combining Securosys’ hardware-enforced controls with Dfns’ programmable policy engine, institutions can implement governance models that span the entire stack. This includes hardware-level authorization, multi-party approvals, time-locked execution, and full transaction traceability from signing to on-chain settlement.

One platform, any HSM

The strategic point is not only that Dfns integrates with Securosys, but that Dfns integrates with any PKCS#11-compliant HSM, and provides a single API surface regardless of which hardware sits underneath. This changes how institutions approach wallet infrastructure. Hardware selection becomes a question of compliance, sovereignty, and operational preference, not a constraint on how systems are built or integrated.

If you already rely on Securosys to protect payment systems, PKI infrastructure, or other regulatory-sensitive workloads, you do not need to rewrite your stack, sacrifice flexibility, or introduce new operational complexity to extend that same security perimeter to blockchain. The integration is direct, consistent, and production-ready. Dfns ensures that the experience remains identical across environments:

• Same API surface, whether keys are managed through MPC or inside an HSM
• Same governance model, including access policies, approval workflows, and policy enforcement
• Same auditability, with unified logs and traceability across all operations
• Same transaction lifecycle, from construction and signing to broadcasting and monitoring

This consistency is what enables institutions to scale. Teams can move between deployment models, mix MPC and HSM setups, or adapt to new regulatory requirements without re-architecting their systems. This is what modern infrastructure should look like. The cryptographic backend becomes a deployment decision, not an architectural constraint.

Register your device: app.dfns.io

‍Read our documentation: docs.dfns.co/d/guides/using-hardware-security-modules-hsms