Live — Monitoring in Real Time

FIPS 140-2 Level 3

Remote HSM & mTLS Architecture

Edge-to-Hardware Cryptographic Pipeline

Cloudflare Workers encrypt player PII at the edge, then tunnel operations through an mTLS-authenticated channel to an on-premises YubiHSM 2 via OpenBao Transit. Field-level encryption, JWT signing, and hardware-seeded RNG never leave the HSM boundary — even when called from a globally distributed edge network.

Buy the Book arrow_forward Live Dashboard monitoring

mTLS Tunnel YubiHSM 2 OpenBao Transit GDPR Art.17 AES-256-GCM PKI CA Cloudflare Workers PCI DSS 4.0.1

End-to-End Flow

From edge request to hardware key operation

Every cryptographic operation follows a deterministic path through four security layers. The HSM master key never leaves the hardware boundary.

Request Pipeline

Player PII encryption at the edge

1. Player submits sensitive data. Registration form sends email, phone, or document number to the Cloudflare Worker endpoint.

2. Worker initiates mTLS handshake. The Worker presents a client certificate signed by the OpenBao PKI CA. The nginx reverse proxy validates the CN and the certificate chain.

3. HSM Proxy receives the request. FastAPI proxy forwards the encrypt/sign/random operation to OpenBao Transit, which uses the YubiHSM 2 as the root of trust.

4. Ciphertext returns to the edge. The encrypted field is stored in D1 or the origin database. The plaintext never persists outside the Worker’s isolate memory.

5. GDPR erasure via crypto-shredding. To comply with Art.17, the key version is rotated and the minimum decryption version is advanced — making all prior ciphertexts unrecoverable without re-keying.

Runtime Map

mTLS tunnel architecture

cloud

Cloudflare Worker

Edge isolate • Web Crypto API • Global PoPs

mTLS handshake (TLS 1.3)

shield

nginx Reverse Proxy

ssl_verify_client • CN=cloudflare-worker-hsm-client • Cloudflare IP allowlist

:8443

proxy_pass (localhost)

api

HSM Proxy API

FastAPI • HMAC API key • /hsm/encrypt • /hsm/decrypt • /hsm/sign • /hsm/random

:8190

Transit API (HTTPS)

key

OpenBao Transit Engine

Shamir seal • AES-256-GCM • Key versioning • Audit log

v2.5.2

PKCS#11 interface

memory

YubiHSM 2

FIPS 140-2 Level 3 • Cert #3516 • Non-exportable master key • TRNG

fw 2.4.1

speed Live Performance

---

ops / 5 min

---

ops / sec

---

avg latency

---

total requests

Five layers of defense protect every request. The master key is hardware-bound and non-exportable — cryptographic operations execute exclusively inside the HSM’s tamper-evident boundary.

Cryptographic Operations

Four HSM-backed operations at the edge

Envelope encryption delivers cloud-grade KMS performance at a fraction of the cost. The same pattern used by AWS KMS, Azure Key Vault, and Google Cloud KMS — but running on a $650 YubiHSM 2 instead of pay-per-request cloud pricing.

enhanced_encryption

Encrypt

~0.5ms p50

AES-256-GCM field-level encryption via Transit. Player email, phone, SSN, and card data are encrypted before storage. Supports key versioning for rotation.

transit/encrypt/field-cipher

lock_open

Decrypt

~0.5ms p50

Decrypts ciphertext using the same Transit key. Only authorized services with valid mTLS certificates and API keys can decrypt. Audit-logged per request.

transit/decrypt/field-cipher

verified

Sign

~0.5ms p50

ECDSA/Ed25519 signing for JWT tokens, withdrawal authorizations, and KYC verification receipts. Private key never leaves the HSM perimeter.

transit/sign/jwt-signing

casino

Random

<1ms p50

Hardware TRNG from YubiHSM 2 for session tokens, nonces, and supplementary entropy. NIST SP 800-90B validated, 7.9998 bits/byte entropy.

YubiHSM 2 TRNG via PKCS#11

Benchmark Results

Cloud-grade KMS at on-premises cost

Envelope encryption uses a locally cached Data Encryption Key (DEK), wrapped by the HSM-backed Transit engine. This is the exact same architecture used by AWS KMS, Azure Key Vault, and Google Cloud KMS — delivering 2,000+ encrypt/decrypt operations per second at sub-millisecond latency, while maintaining full hardware key isolation and regulatory compliance.

history Before: Direct Transit

Encrypt throughput 131 req/s

Encrypt latency p50 6.80ms

Concurrent (10 threads) 274 req/s

Batch support N/A

bolt After: Envelope Encryption

Encrypt throughput

1,555 req/s 12x

Encrypt latency p50

0.53ms 13x

Concurrent (10 threads)

2,035 req/s 7x

Batch 100 items

67,092 eq req/s

savings Cost Comparison: On-Premises HSM vs Cloud KMS

Provider	Cost Model	1M ops/month	10M ops/month	Compliance
AWS KMS	$1/key/mo + $0.03/10K req	$4/mo	$31/mo	FIPS 140-2 L2 (L3 with CloudHSM: $1.60/hr)
Azure Key Vault	$1/key/mo + $0.03/10K req	$4/mo	$31/mo	FIPS 140-2 L2 (L3 with Managed HSM: $3.20/hr)
Google Cloud KMS	$0.06/key version/mo + $0.03/10K req	$3/mo	$30/mo	FIPS 140-2 L2 (L3 with Cloud HSM: $2.50/hr)
YubiHSM 2 + OpenBao	$650 one-time + $0 per request	$0/mo	$0/mo	FIPS 140-2 Level 3 (native, no extra cost)

At 10M operations/month, the YubiHSM 2 pays for itself in 21 months compared to cloud KMS. With cloud HSM (FIPS L3), the payback period drops to less than 1 day. Performance is comparable: 2,000+ ops/s vs typical cloud KMS throughput of 1,000–5,000 ops/s.

architecture Envelope Encryption Architecture

rocket_launch

Startup (once)

1 Generate random 256-bit DEK

2 Wrap DEK with Transit → HSM stores wrapped copy

3 Cache unwrapped DEK in memory (1h TTL)

bolt

Encrypt / Decrypt every request

1 Read DEK from memory cache (0ms)

2 AES-256-GCM local with 96-bit nonce (0.5ms)

3 Return ciphertext — no HSM roundtrip

verified

Sign every request

1 Forward to HSM via Transit (2ms)

2 Private key never leaves hardware

autorenew

Key Rotation & GDPR

1 Rotate Transit key version

2 Re-wrap DEK → /hsm/rewrap

3 Old ciphertexts readable until min_version advanced

! GDPR Art.17: advance min_decryption_version = crypto-shredding

Defense in Depth

Six security layers protect the tunnel

1 TLS 1.3 + mTLS

Mutual TLS requires both server and client certificates. The client cert is issued by the OpenBao PKI CA with a 30-day TTL and automatic renewal.

2 CN Validation

nginx enforces that the client certificate CN matches cloudflare-worker-hsm-client. Certificates with other CNs are rejected with 403.

3 IP Allowlist

Only Cloudflare’s published IPv4 ranges and the production server IP are allowed. All other source IPs are dropped at the nginx layer.

4 API Key Auth

A 256-bit HMAC-compared API key is required in the X-API-Key header. Timing-safe comparison prevents brute-force attacks.

5 OpenBao ACL Policies

Transit operations are scoped to specific key names. The proxy token can only access field-cipher and jwt-signing — no root access.

6 Hardware Key Isolation

The YubiHSM 2 master key is non-exportable and tamper-evident. All cryptographic operations execute inside the HSM’s FIPS 140-2 Level 3 boundary.

Regulatory Compliance

GDPR, PCI DSS, and GLI-19 alignment

gavel GDPR Art.17

Right to erasure via crypto-shredding. Instead of searching and deleting PII across distributed systems, we advance the Transit key’s minimum decryption version. Prior ciphertexts become permanently unrecoverable.

POST /transit/keys/field-cipher/config
{ "min_decryption_version": N+1 }

credit_card PCI DSS 4.0.1

Requirement 3: Protect stored account data. Card data is encrypted at the edge before reaching any origin server. The encryption key is HSM-protected and never stored in software.

3.5.1 — Encryption key in HSM

3.6.1 — Key rotation via Transit

4.2.1 — TLS 1.3 in transit

casino GLI-19 & ISO 27001

Hardware RNG and audit chain. The YubiHSM 2 TRNG passes NIST SP 800-22 statistical tests. Every cryptographic operation is audit-logged with timestamp, operation type, key name, and client identity.

GLI-19 7.2 — TRNG validation

ISO 27001 A.10 — Crypto controls

FIPS 140-2 Level 3 — Cert #3516

Live Monitoring

Real-time HSM metrics from production

Metrics are collected every 30 seconds from the HSM Proxy API and pushed to Redis. The traffic bot simulates realistic iGaming workloads — player PII encryption, JWT signing, decrypt verification, and random generation.

---

Status

---

Total Requests

---

Encrypt p50

---

Decrypt p50

---

Sign p50

---

mTLS

Error Rate: --- Ops/5m: --- Last Update: ---

In the Book

Covered across multiple chapters

Chapter 20

Hardware Security Modules

YubiHSM 2 setup, PKCS#11 integration, OpenBao Transit engine, key hierarchy design, HKDF derivation, and FIPS validation.

Chapter 44

GDPR & Edge Encryption

Cloudflare Workers field-level encryption, pseudonymisation, crypto-shredding for Art.17, D1 encrypted models, and the remote HSM tunnel.

Chapter 24

TLS & mTLS Infrastructure

End-to-end encryption lifecycle, certificate management, mTLS tunnel design, Coraza WAF integration, and TLS compliance testing.