Marvell on Wednesday introduced its next-generation hardware security module (HSM) designed to speed up cryptography workloads by orders of magnitude when compared to conventional processors. The LiquidSecurity 2 HSM is aimed primarily at cloud datacenters and therefore offers considerably higher performance than its 2015 predecessor.
Marvell's LiquidSecurity is a hardware security module (HSM) adapter that sits in a server, encrypts and decrypts all the data hosted on the machine and stores the hardware-secured keys onboard. HSMs are widely used by companies for which secure transactions are mission critical (e.g., banks, processing companies, etc.), they are usually tricky and expensive to manage, which is why modern hyperscale cloud datacenters do not always use them and prefer to rely on general-purpose hardware, such as CPUs, hardware disk encryption, and software.
But HSMs have an inherent advantage over conventional security and encryption methods as they consume less energy, offer better performance, store keys in hardware-secured enclaves, and separately encrypt data in isolated partitions to enable virtual machines to have dedicated resources in FIPS certified boundary.
Marvell's LiquidSecurity 2 is a PCIe 4.0 x8 HHHL card that leverages the company's Octeon data processing unit (DPU) hardware and stores up to one million keys for AES, RSA, and ECC encryption algorithms, and 45 partitions for multi-tenant use cases common in hyperscale datacenter environments. The HSM can process up to 42,000 RSA-2K operations per second, up to 100,000 ECC P-256 ops/s, and up to 1,000,000 GCM ops/s — all while consuming only 35W – 50W of power.
To offer this kind of performance and features at low power, Marvell's LiquidSecurity 2 has tens of dedicated cores optimized for cryptography operations. For now, Marvell has not disclosed complexity of its LS2 or which production node it uses to make the chip (though, given its low power consumption, we can figure that this is hardly a very complex IC).
Since the LiquidSecurity 2 is aimed at business critical and mission critical applications, it fully meets various fault tolerance and high availability requirements. Furthermore, the HSM can be updated in the field to support new algorithms, such as post-quantum cryptography. Marvell will offer a comprehensive software development kit (SDK) with its LS2 part, which will naturally provide hyperscalers some additional flexibility if they need to run something proprietary on the HSM. Eventually Marvell will certify its LS2 HSM for FIPS 140-31, CC, eIDAS, and PCI PTS HSM 4.0 compliancy.
Increased performance and added flexibility of the LiquidSecurity 2 HSM compared to the original part is just what the doctor ordered for hyperscale cloud datacenters that serve hundreds of customers many of which may need enhanced security for their business.
Marvell will start shipping its LiquidSecurity 2 hardware security modules to interested parties this fall. Pricing will depend in multiple factors such as volumes or configurations.