KeySafe HSM Technical Requirements

These KeySafe HSM Technical Requirements (“HSM Technical Requirements”) apply to Customer’s purchase and use of KeySafe HSM, and Customer understands and acknowledges that in order to achieve a successful and trusted encryption key management deployment and maintenance, there are on-going requirements that it needs to meet. Failure to undertake these requirements may result in failure of Customer’s KeySafe HSM, and Box assumes no liability for any such failure by Customer.


Box may change these HSM Technical Requirements at any time by posting an updated version here, and such updates will be effective upon posting.


Hardware Security Models

  1. Ensure that the Customer-owned key encryption keys (“C-KEKs”) that are stored on the Customer HSM Tools are backed up each time Customer creates or changes their C-KEKs. Customer must take reasonable steps to ensure during the backup that the Customer HSM Tools are properly protected.
  2. In the event that Customer HSM Tools cease to function or otherwise get zeroized (i.e., erasing the C-KEKs), Customer must restore C-KEKs from the backup HSM as soon as commercially possible to do so. A zeroized state includes, but is not limited to a factory reset by command and the HSM detecting 3 bad login attempts.


Third-Party Providers

  1. As of the current version of these HSM Technical Requirements, the Box approved KeySafe HSM Hosting Partner is Amazon Web Services ("AWS").
  2. For implementation of KeySafe HSM, Customer must always install Hosting Partner’s most current software version.
  3. Customer is required to utilize the AWS CloudFormation template labeled “AWS CloudHSM” to provision the AWS infrastructure. A current version of which may be found on the website and/or at the following link: - cf-setup
  4. Customer is required to purchase and maintain AWS support. Customer may choose to purchase from AWS either Enterprise or Business Support as described here (( while using KeySafe HSM and AWS as a Hosting Partner.
  5. Customer is required to purchase a minimum of three (3) instances of Customer HSM Tools. Box recommends Customers work closely with Box to monitor the usage during onboarding of additional User Accounts to determine if additional instances of Customer HSM Tool(s) are needed to achieve high availability and durability of the C-KEKs. In any event, if Customer anticipates (i) more than 100,000 User Accounts; (ii) material data migration; or (iii) material changes in its use of KeySafe HSM, then Customer will engage with Box Consulting to determine the minimum instances of Customer HSMs.
  6. Customer must take and maintain exclusive control over their HSM account as part of the initial configuration.
  7. Customer must maintain a backup copy of C-KEKs in a back-up HSM hosted outside of Box approved KeySafe HSM Hosting Partner. For clarity, such back-up HSM may not be utilized for any purpose other than KeySafe HSM.
  8. Customer must purchase at least one (1) backup HSMs from a Box approved KeySafe HSM hardware security module provider. As of the current version of these HSM Technical Requirements, the Box KeySafe HSM-approved HSM is SafeNet Luna Remote Backup (“SafeNet”).
  9. Customer must configure the backup HSM’s using a backup client that utilizes a Windows 7 or later operating system.
  10. As of the current version of these HSM Technical Requirements, the Box supported SafeNet Luna SA HSM version is 5.3.13.
  11. Customer understands and agrees that the functionality of KeySafe HSM may require updates or upgrades from the Hosting Partner.


Data Center Requirements

  1. As of the current version of these HSM Technical Requirements, Customer is required to provision the HSMs in the AWS us-west-2 region.
  2. In the event Box relocates the Box data centers within the United States, and in order to maintain KeySafe HSM functionality and performance, Customer may be required to transition Customer HSM Tools to a HSM hosting location in close proximity to the relocated Box data centers within sixty (60) days of written notice from Box.


Log Aggregation Tool

  • Box will not be monitoring activities related to CKEKs generated by the hosting provider. We recommend the Customer to own and maintain a log aggregation tool (“Aggregation Tool”), and consume the KeySafe logs through that Aggregation Tool. 


Box Functionality

  1. As of the current version of these HSM Technical Requirements, Box Service functionality limitations include:
    • Full text search of the files needs to be disabled
    • Any 3rd party eDiscovery integration that relies solely on Box Search APIs
    • KeySafe HSM is not encrypting comments, descriptions and metadata with C-KEKs
    • Migration off of the Box Service:
      • Customer will disable logging on the HSM if they wish to cease further use of the Box Service
      • Each HSM can process a very limited number of transactions per second with logging enabled, and logging will limit Customer’s ability to export all of their data in a timely manner.
  2. KeySafe HSM encrypts file content uploaded to the Box Service, excluding Box Notes.


Version history
Revision #:
3 of 4
Last update:
‎05-21-2018 02:22 PM
Updated by:

More in this guide:

Go to Guide

Users online (299)