If you ever encrypted something, most likely you bumped into a necessity to handle somehow cryptographic keys. If not, then an application did that for you seamlessly, but they still exist:)

It is sporadic when vulnerabilities are found in encryption algorithms itself. But you do not need to crack an algorithm if you can steal a key, do you? In cryptography, key management is usually the weakest link in the whole chain. Next one is algorithm implementation, but today we will talk about keys.

Where does weakness come from around crypto keys? Obviously, they are something you are supposed to know on your own, but effectively you can not. That is not a password, but a random string of characters. You need to create a key, store it, apply, remove. And between every step, you move if from one place to another. So many places for mishandling!

In an ordinary course of action, you have an application installed on your phone or on a laptop. You somehow store cryptographic keys, either in a secure vault or on the desktop. You give plain data to the application and keys, and it produces encrypted text.

The ultimate solution to all these issues is HSM (Hardware Security Module). Think about it as a server where all cryptography happens inside. A cryptographic key never leaves its premises, it is generated inside and cannot be extracted. You send data to that server, and it returns you an encrypted data. The main feature is that no one can extract cryptography key from HSM under any circumstances. On top of that, a server itself is located in a data centre with strict physical control.