Secure Messaging - libC Primus
libC Technologies SA Primus Hardware Security Module Solutions as a service or on premises. Features robust and centralized key management. Secure Messaging
PKI, Public Key Infrastructure, security, HSM, hardware security module, encryption, digital signature, authentication, smart card, certificate authority, identity management, X.509 certificate, certificate, Oracle TDE, Oracle, TDE
page-template-default,page,page-id-82,ajax_fade,page_not_loaded,,qode-title-hidden,footer_responsive_adv,qode-theme-ver-16.9,qode-theme-bridge,qode_header_in_grid,wpb-js-composer js-comp-ver-5.5.5,vc_responsive

Secure Messaging with Primus HSM

The Primus Secure Email Messaging and Key Management Service delivers robust hardware based centralized key management backed up by strong cryptography to protect and authenticate point-to-point message communication within user communities. User communities are identified groups of external message recipients and senders authorized to communicate with identified and authorized people belonging to an organization.

The service, which is also available as a complete solution on-premises, addresses cryptographic key and certificate management life-cycle, online hardware-to-hardware key distribution, tamper proof audit as well as usage logs and reporting for compliance with standards.

What it does

As a centralized key and certificate management system, the service enables a client to setup, authorize and manage user communities to establish point-to-point secure messaging between its organization and the identified user communities.


Secure Email messaging between a client and its user communities occurs through the standard Microsoft Windows Outlook Email client to send and receive digitally signed and ciphered messages using the clients’ IT infrastructure (messages are therefore not stored on third party servers). Secure messaging support for clients running Linux based systems is also supported.

All key material used by the client’s users and its community users is stored on Primus HSMs and is accessible via Securosys’ Cloud-HSM. This makes the service available from office desktop and mobile laptops. The cryptographic key material is securely stored and protected on the Primus HSM and never leaves it.


The X.509 certificates associated with each user’s key material is managed by authorized and identified roles by the client through the Key Management Service. Different roles are associated to separate certificate management processes such as certificate registration, authorization of pending certification requests, access to audit logs and certificate renewal.


The service supports one or more external user communities. Secure messaging between communities is possible when explicitly enabled by the client.


Community users access the the Directory Service address book from their mailing client to send secure messages. End user encryption certificates are published per community to the Directory Service. Access to the Directory Service address book is community based.


Each community possesses a dedicated issuing certification authority. The root certification authority is owned by the client. Certification authority cross signing is supported for any certification authority.

How it works

Client administrator roles create user communities using the Key Management Service. They invite end users (internal/external) to join the community. An email with a link to the registration page is sent to the end user.



Upon invitation email, end users register with the community by generating a digital signature and encryption key pair on the Primus HSM. The end user generated certificate requests are automatically forwarded to the Key Management Service for control and authorization.



Client authorizer roles accept or reject end user registrations. When accepted, the Key Management Service generates the end user certificates, notifies the end user and publishes the encryption certificate in the Directory service matching the specified user and community.



Client administrator roles can subsequently revoke, renew and manage issued certificates.



Automatic certificate renewal, CRL publication and publication is configured by administrator roles.



Key audit usage logs, reporting and statistics is available to auditor roles. A Splunk Forwarder agent is available and can be activated.

Upon successful registration, end users configure the community Directory Service address book in their preferred email client. Automatic configuration of the address book may be performed through the Microsoft Exchange GAL.



End users can start sending and receiving secure emails between community members. Online certificate validation is enabled when the certificate distribution point and/or the authority information access is defined in the end user certificates.


  • Available on premises or as cloud service
  • Unlimited communities and users
  • Primus onboard hardware-based key generation, storage, replication and backup/restore
  • RFC compliant X.509 Public Key Infrastructure supporting both RSA and EC key pairs
  • Role based access control to the Key Management Service
  • Feature rich certificate policy templates
  • Certificate revocation, renewal and publication
  • Dashboard, statistics and CSV exports
  • Splunk forwarding agent available when operating on-premises
  • ISO certified hosting service (9001/20000/27018/14001/27001) for the Key Management Service operated by experienced professionals with security clearance
  • Securosys Cloud HSM or on-premises Primus SHM
  • Maintenance and support