Using Hardware CSPs
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Hardware CSPs can support a wide range of cryptographic operations and technologies. Keys stored in tamper-resistant hardware crypto-devices are more secure than keys stored on local computer hard disks. Therefore, keys stored in hardware cryptographic devices can have key lifetimes that are longer than keys stored by software CSPs on hard disks.
Another advantage to using hardware CSPs is that the key material is kept outside the memory of the computer and within the hardware device. This makes it impossible to access the key of the CA by means of a memory dump.
If you determine that a hardware CSP is too costly, consider using smart cards for key storage. When you store cryptographic keys on a smart card, no one in your organization can issue or revoke certificates without the appropriate smart card together with the correct personal identification number (PIN).
If you choose to use hardware cryptographic service providers for CA private key storage, you must ensure that the hardware device is physically secured, or at least back up the operator cards or tokens. You might, for example, keep it in a highly secured area in the computer room of your company, or lock it in a safe.