Integrate Hardware Security Module support in Cryptomator

This question is for the developers of Cryptomator: is it feasible to replace the encryption/decryption and digest computation used by Cryptomator with similar operations executed by a hardware security module?

A significant advantage is the possibility to keep all passphrases in the internal memory of the HSM. So you get a 2-FA since you need to have the physical device and the PIN code to access to the features of the HSM. Performance is not a problem for me…this is just an experiment.

Looking at the source code on GitHub, it looks like most of the operations that should be done by the HSM are implemented in cryptolib (FileContentCryptorImpl, FileHeaderCryptorImpl, FileNameCryptorImpl).

You don’t encrypt data in HSM. You use HSM to drive the master key or key encryption keys.

So, developers probably don’t need to touch those codes. They need to review how it’s done in other apps such as Keepassxc and include a similar feature in Java.