Thales HSM Integration

We’re expanding the reach of our programmable wallet infrastructure. Starting today, Dfns integrates natively with Thales Hardware Security Modules (HSMs). This means institutions can now run Dfns’ full wallet orchestration stack using their own certified, Thales-manufactured hardware, with no compromise on speed, functionality, or control.

Why Thales and how they stand out

Thales is one of the most trusted names in defense, cybersecurity and cryptographic hardware. Their HSMs are deployed by central banks, global payment networks, telecom providers, governments, and critical infrastructure operators in over 180 countries. These devices secure everything from payment credentials and TLS certificates to national ID keys and military communications.

With certifications like FIPS 140-2 Level 3 and Common Criteria EAL4+, Thales HSMs are purpose-built for secure key generation, storage, and signing, ensuring cryptographic keys never leave the secure boundary of the hardware. Each HSM family addresses specific high-assurance use cases:

• payShield: Used by most of the world’s major payment processors to secure card issuance and transaction flows.
• Luna: A go-to choice for cloud and hybrid deployments, integrated into the backend of AWS, Google Cloud, and Azure.
• ProtectServer: Designed for developers who need programmable control over cryptographic functions in regulated environments.

By integrating with Thales HSMs, Dfns brings blockchain signing into these high-security environments without requiring custom development or architectural changes. This allows institutions to adopt digital asset capabilities while keeping full control over key custody and compliance, using the same infrastructure they already trust for their most sensitive operations.

How Dfns integrates to Thales via PKCS#11

Our HSM Service is built on the PKCS#11 standard, so any compatible Thales HSM, like payShield, Luna, or ProtectServer, can act as a secure signing engine for Dfns wallets. That includes key generation, signing, key retrieval, and key backup using your existing Thales setup. No custom adapters, middleware, or changes to your transaction flow are needed. If your HSM supports PKCS#11, it plugs right into the Dfns wallet platform.

Once connected, your Thales HSM becomes the backend for signing operations. Dfns handles blockchain-specific logic (e.g., transaction formatting, broadcasting, policy enforcement, etc.) so your HSM just performs standard crypto tasks (like ECDSA or EdDSA signing). Everything else is abstracted away. This setup supports a wide range of blockchains: Ethereum, Solana, Bitcoin, Aptos, Polygon, and 50+ others—securely and at scale.

Key features include:

• PKCS#11 integration: Uses standard drivers and libraries. No custom plugins or SDK forks.
• Performance-optimized session handling: Dfns pools and manages sessions to support high signing volumes without hitting HSM limits.
• Multi-key and multi-tenant support: Assign your Thales HSM to multiple Dfns organizations.
• [Coming soon] CLI and API registration: Register and manage your HSM through the Dfns CLI or REST API. Everything is programmable and automatable.

One wallet platform, multiple deployment schemes

Whether your Thales HSM is on-premises, in a CloudHSM service, or deployed across hybrid architectures, it can be integrated seamlessly with Dfns. As of today, we’ve tested and validated against the deployment of a Luna HSM in a Thales cloud environment. The result: secure, standards-based key management with no compromises, and blockchain access that respects your existing security policies, audit requirements, and latency needs.

If you already use Thales HSMs to protect TLS keys, payment credentials, or digital identity infrastructure, Dfns lets you extend that same secure boundary to digital assets. Without rewriting your stack, without sacrificing flexibility, and without introducing operational complexity. This integration is part of a broader transformation at Dfns. We’re evolving into a flexible cryptographic orchestration layer that supports MPC, HSM, TEE, or any mix of technologies, with a single set of APIs, policies, and controls. 

With Thales HSM support, you get:

• Vendor-agnostic infra: Choose the hardware that fits your compliance and operational needs.
• Faster go-lives: Plug into Dfns with off-the-shelf support for your Thales HSM—no multi-month integrations.
• Unified governance: The same access policies, audit logs, and transaction workflows work across MPC and HSM environments.
• Sovereign key control: Store and operate keys on-premises, in local jurisdictions, or within private clouds, without giving up programmable wallet capabilities.

End-to-end, hardware-protected data integrity

Our roadmap includes expanded support for advanced HSM features such as partitioning, remote management, and dual control signing, capabilities that are especially valuable for regulated institutions requiring strong access separation and auditability. These enhancements are designed to deepen our integration with Thales HSMs and offer fine-grained control over your key management workflows.

Looking ahead, we're also working to support additional Thales services, including Confidential Compute, to enable secure execution of blockchain operations in trusted environments. This will unlock new use cases around zero-trust transaction processing and secure multiparty workflows.

Whether you're already using Thales HSMs or planning to onboard new hardware, our integration makes it easy to start managing digital assets with enterprise-grade compliance, isolation, and control.

• Register your device: sales@dfns.co 
• Read our docs: docs.dfns.co/d/guides/using-hardware-security-modules-hsms