Nitrokey HSM: A Tough Sell in a Highly Demanding Market

In December 2023, a German company called Nitrokey released an open-source Hardware Security Module (HSM) into the market. The HSM took 8 years to develop, with the last 2 years in beta testing with select customers. The Nitrokey NetHSM 1.0 was initially funded by the European Union (EU) as part of the “Gründung innovativ” of the Investitionsbank of the German federal state Brandenburg, a program that financially supports innovative companies in the first 3 years of start-up. NetHSM is a general-purpose appliance priced at less than €10,000, putting it at the (very) lower end of HSM pricing scale. The NetHSM software container is freely available for development and testing purposes and can be used with Docker and other container engines.

The HSM market is currently dominated by a handful of players (Thales, Entrust, and Utimaco), with a limited number of mid-market players (Atos and IBM), and very few new market entrants over the years. Those that have cropped up recently are small outfits, with a very focused national scope, often initially funded and supported by government. Developing an HSM is no easy feat, requiring heavy Research and development (R&D) in security and cryptographic applications, and subjected to stringent certification processes, such as National Institution of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) 140-3 Level 3+, Common Criteria (CC) Evaluation Assurance Level (EAL) 4+, Payment Card Industry (PCI) PIN Transaction Security (PTS) HSM v4, etc. These types of certifications are lengthy, complex, and costly. HSM development is a very proprietary affair, and therefore, a lucrative business for Original Equipment Manufacturers (OEMs), with Average Selling Prices (ASPs) generally around US$20,000 to US$50,000 per appliance (not including licenses, warranties, Service-Level Agreements (SLAs), and other subscriptions). The ability to write custom code or integrate the HSM with business applications through Application Programming Interfaces (APIs) is a fairly new occurrence, due in part to opening up cloud HSM subscriptions, revealing how tightly the market is controlled by the existing OEMs.

Nitrokey seeks to disrupt that market with its open-source approach, opening up what would normally be a black box for anyone to see (and, of course, audit). The approach is both bold and risky. The HSM market leaders have a very strong hold on a traditional market that even cloud service providers are having trouble disrupting. HSMs serve a very specific purpose in that traditional market, much of which is regulatory compliance. Getting into it will be difficult, especially as Nitrokey still does not have any NIST or CC certifications (although that is planned, it can take a year or more to obtain certification). Without that, no regulated company will be using NetHSMs. But perhaps this is not the target market that Nitrokey is after. Given the growing demand for securing identity, data, and communications in the Internet of Things (IoT) and in supply chain relationships, a low-cost, open source HSM might be a highly attractive and affordable option.

The Total Addressable Market (TAM) for HSMs today is fairly small (ABI Research forecasts an estimated 60,000 appliances will be shipped globally in 2024), and primarily targeting those that need to comply with strict regulatory requirements on security. The costs are a high barrier to entry for organizations with less strict security needs, so an open source approach could very well interest that untapped potential. However, the HSM as a product is not an easy sell; it’s a complex appliance designed to do cryptographically complex operations that are difficult to explain, let alone sell to a new market. Beyond drafting new legislation mandating HSM usage, the growth of the HSM market must occur elsewhere, and that is in the applications. Prospective customers are interested in authentication, identity, and access control—it doesn’t matter, ultimately, how that is delivered, as long as it is done securely. As for Nitrokey competing with incumbent HSM OEMs, it’s all about tying Nitrokey’s HSM offering to an application that speaks to demand, not the other way around. Today, that is encryption key management, quantum-safe communications, and machine identity. If an HSM vendor can successfully sell that story, whether open-source or proprietary, then it will go a long way in expanding its market appeal.