You can configure PingFederate to use a hardware security module (HSM) for cryptographic material storage and operations. When configured, private keys and their corresponding certificate are stored on the HSM. Related signing and decryption operations are processed there for enhanced security. By default, even in HSM mode, dynamic OAuth and OpenID Connect signing and decryption keys are generated and stored in the memory of PingFederate cluster nodes. To ensure continuity after a full cluster restart, the decryption keys are also persisted to disk, and encrypted there with PingFederate's active configuration encryption key. To ensure OAuth and OpenID Connect keys are instead stored on the HSM, you must enable static keys.

For more information on supported configurations for secure material storing and processing, see Supported hardware security modules.

Performance considerations

Configuring PingFederate to use an HSM for cryptographic material storage and operations can introduce an impact on performance. The level of impact depends on the performance of cryptographic functionality provided by the HSM and the network latency between PingFederate and the HSM. Consult your HSM vendor for performance tuning and optimization recommendations if you plan to use an HSM as part of your PingFederate deployment.