DocuSign HSM Appliance (formerly PrivateServer HSM) Technical FAQs

Notice: The PrivateServer product is being renamed to DocuSign HSM. You will see our documentation and marketing materials take on the new name. Rest assured that they are one and the same product and that support continues as before.

DocuSign HSM is the leading high-security (FIPS 140-2 Level 3), high-capacity, network–attached multi-user HSM.

I want to migrate my Certificate Authority (CA) Cryptographic Service Provider (CSP) into a Key Storage Provider (KSP). Can I do that?
KSP is a next generation of CSP. It provides an enhanced key storage mechanism and supports modern key and signature algorithms. So, many organizations have decided to advance in that direction. If your organization is currently using CSP technology and you want to upgrade to KSP technology, you can do that with your DocuSign HSM (PrivateServer).
The CA Migration Guide shows you, step-by-step, how to perform this migration. Within only a few minutes, you will be able to accomplish the task.


I need to replace my database files from the current set of master keys to a new set of master keys. Is that going to be painful?
We are happy to inform you that you can do this and that the process is not painful at all. In fact, it takes only a few minutes and we can show you how.

In general, the process works like this:
  1. Connect to the working DocuSign HSM and generate a new random, clear-text SVMK
  2. Create a new set of Init and Startup using new cards
  3. Load the ReplaceSVMK module
  4. Execute the ReplaceSVMK operation
The step-by-step instructions can be found in the Replace SVMK Procedure guide.


What is the difference between a key user and a key owner?


key user may only perform cryptographic operations with the key (i.e. encrypt, decrypt, sign, verify, etc.). A key owner may obtain the key's value (as long as it's not read-locked). A key owner can delete the key and modify sensitive attributes of the key, and also define other users or owners for the key.


Can the PrivateServer get the time from an NTP server?

No, it can't. The time of the PrivateServer can not be changed.


What is the PrivateServer’s port number?

The PrivateServer "listens to" (i.e. receives) incoming connections at port 1024.


What are the access types?

There are five access types:

  • Users may connect from a non-secured network without the need for authentication (in this case, authentication is done by a key that is password protected).
  • Users must connect from a secured network, but without the need for authentication.
  • Users must connect with authentication from a non-secured network.
  • Users must connect with authentication but only from a secured network.
  • Users cannot connect to the PrivateServer.
An authenticated session means that the user uses a certain media to connect to the PrivateServer. The media stores the user's authentication private key, and can be a smartcard, a Minikey or a key file.
Note: In a production environment, ARX does not recommend deleting and recreating users. This is because if a key is linked to only one user, then deleting the user will make all keys unusable. It’s preferable to lock access to a user or changing the users’ access level to 5, which prevents the user from connecting.


What is the meaning of secure network and non-secure network?

The definitions for secure networks and non-secure networks should be determined by the PrivateServer operator.
  • Secure network means that measures have been taken to limit access to the network. For example, a network with cross cable between a client machine and the PrivateServer is considered a secure network.
  • Non-secure network means that the network has unlimited access. For example: a PrivateServer that is connected to the Internet.
Each user in a PrivateServer database has an access level that determines whether the user must access it from a secured network. If you define that a user must connect from a secured network, then that network must be added or defined in the “Secured Networks” option in the PrivateServer console. PrivateServer has 2 NICs; by default, both are defined as ‘secured’. You may define both of them as ‘secured’ or ‘non-secured’.


What card types can be used as INIT and STARTUP cards?

When generating cards to be used as INIT or STARTUP in PrivateServer version 3.x, MCOS cards must be used. In PrivateServer version 4.x all the cards can be PrivateCards. MCOS cards –"Gemplus" is written on the smartcard chip. Please note that these cards are EOL (end of life) and are no longer supported. PrivateCards - a high security PKI-based smartcard with a 144 KB memory capacity. The card performs all the sensitive functions on the chip itself, providing users with a significantly stronger authentication mechanism. The MCOS smartcard chip is rounder in shape, unlike the PrivateCard that is square-shaped but has round edges. When generating cards for users that will connect from the PrivateServer client machine, you may use both types of the cards provided the client machine is using CryptoSafe for the smartcard reader. If the client machine has PrivateSafe or USB reader, you can only use PrivateCards.

Have an issue? To send us an email, please submit this form.