This question is for the developers of Cryptomator: is it feasible to replace the encryption/decryption and digest computation used by Cryptomator with similar operations executed by a hardware security module?
A significant advantage is the possibility to keep all passphrases in the internal memory of the HSM. So you get a 2-FA since you need to have the physical device and the PIN code to access to the features of the HSM. Performance is not a problem for me…this is just an experiment.
Looking at the source code on GitHub, it looks like most of the operations that should be done by the HSM are implemented in cryptolib (FileContentCryptorImpl, FileHeaderCryptorImpl, FileNameCryptorImpl).