Skip to content
On this page

Hardware Security Module (HSM)

Frequently Asked Questions


Submit a question

Question 1: What is a Hardware Security Module (HSM)?

Answer: A Hardware Security Module (HSM) is a physical device that provides extra security for sensitive data by managing, processing, and storing cryptographic keys. For more information on digital signatures, including how HSMs are used to seal documents in AlphaTrust® e-Sign, refer to our Digital Signatures documentation.


Question 2: Can I embed a digital signature in PDF documents using AlphaTrust® e-Sign?

Answer: Yes, AlphaTrust® e-Sign can embed standards-compliant digital signatures in PDFs, verifiable by third-party software such as Adobe Acrobat or Reader.

Embedded PDF digital signatures are automatically used by AlphaTrust-operated SaaS versions of AlphaTrust® e-Sign. Customers running their own instances of AlphaTrust® e-Sign can enable their systems to use such embedded PDF digital signatures, if desired. This requires the use of third-party services and hardware – please contact AlphaTrust Solutions for more information.


Question 3: What types of embedded PDF digital signatures are supported by AlphaTrust® e-Sign?

Answer: AlphaTrust® e-Sign supports standard digital signatures, referred to as "seals". Certification signatures have been deprecated as of version 5.16+. For more details, refer to Digital Signatures.


Question 4: How do I configure the default digital signature behavior in AlphaTrust® e-Sign?

Answer: Default behavior is configured using the EnforceAddDigitalSignaturesForAllPDFDocumentsType setting. For AlphaTrust-operated SaaS systems, this is configured to 2 (i.e. enforce embedded PDF "seal").


Question 5: How can I configure digital signature type for an individual document?

Answer: The digital signature type for an individual document can be set using the ServiceType property in the DocumentInsertModel. The possible values for ServiceType are:

  • Sign: Applies a basic digital signature.
  • SignAndSeal: Applies a digital seal to the document.
  • SignAndCertify: (Deprecated) Applied a certification signature.

If no value is specified for this property, the system's default behavior is used.

Note: For systems, such as AlphaTrust SaaS systems, configured to enforce a seal using the EnforceAddDigitalSignaturesForAllPDFDocumentsType setting, specifying Sign will not override and remove the embedding of a PDF digital signature.


Question 6: What compliance standards do the embedded PDF digital signatures adhere to?

Answer: Embedded PDF digital signatures comply with EU eIDAS, ETSI PAdES, and ESRA standards, and are compliant with the Adobe Authorized Trust List program.


Answer: It is common to encounter occasional warnings and errors related to HSM operations, including 'deadlocks' and 'digital signature failures'. Here is an explanation of what typically happens and how our systems handle these issues:

  • gRPC Call Failures: When attempting to seal documents, failures can occur due to the specific environment or workload. However, our document service is designed to automatically retry and complete the sealing process if the initial attempt fails via the gRPC call. This is why a document might initially report a failure but later show as successfully sealed.

  • Deadlocks and Warnings: Experiencing deadlocks and receiving related warnings is expected under certain circumstances, particularly in environments with high concurrency where multiple servers are attempting to acquire locks simultaneously. These warnings often indicate that the system made several attempts to release or acquire locks but encountered temporary issues. The messages typically include reassurances such as "nothing to worry about," reflecting that the system is designed to handle such situations robustly by retrying operations.

  • Managing Document Service Load: If you are running the document service on multiple servers, reducing the number of active instances can help mitigate the frequency of these issues. The service operates continuously, with only short pauses (about 5 seconds) between runs. It is configured to automatically pick up and process documents that were not handled by the initial gRPC call.