Use Cases

The ramifications of improper code signing can be catastrophic. Unfortunately, enterprises have traditionally been forced to choose between security— securely storing signing keys in an HSM— and performance— uploading large bodies of data to servers connected to the centrally-managed HSMs consumes lots of bandwidth and takes time. This problem is further magnified by the fact that natively supporting platforms like Apple or GPG with HSM-secured keys can be quite challenging. 

GaraSign overcomes these challenges with a host of native client integrations and an advanced architecture that keeps code signing fast while private keys remain in HSMs.

All too often, the keys used to SSH to critical servers are stored unprotected on the local workstations of system administrators and developers or on network shares. These sensitive keys are easily compromised, difficult to manage, and hard to keep track of, making them high-value targets for attackers.

GaraSign makes managing and securing SSH keys simple. All SSH keys remain secured in your HSMs while the team members who need to use those keys are restricted to proxied access. You can easily grant/revoke authorizations and transparently layer in multi-factor authentication and/or device authentications for each specific private key, without needing to reconfigure the SSH server. All of these security features come out of the box, and performance is never impeded.

Email, despite being one the very first methods for digital correspondence, remains the most commonly-used form of business communication. As such, CIOs and CISOs must find a way to secure email without hindering business processes. S/MIME is an established solution for securing email but is considered too difficult to deploy for most enterprises.

With GaraSign, deploying and managing S/MIME throughout a large environment is made simple. GaraSign integrates with your Active Directory domain and Certificate Authorities (both internal and external) to auto-generate keys and certificates for each of your employees, ensuring that the deployment is easy and free of manual administrative processes. At the same time, GaraSign’s cryptographic service providers integrate directly into your employees’ email clients to transparently sign and encrypt email. As team members come and go, their keys are easily granted and revoked from a centralized interface. Since the keys are secured in HSMs at all times and centrally managed, encrypted emails are always recoverable and can be made available to legal and compliance teams whenever required.

Printing documents to sign is tedious, slow, insecure, and environmentally unfriendly. Most businesses would like to take advantage of digital signing but struggle to meet the requirements needed to securely manage private keys while allowing end users to easily sign documents.

With GaraSign, all document signing private keys remain secured in an HSM. End-users are quickly and efficiently granted access to the signing keys whenever needed, without slowing down the pace of day-to-day business.

Maintaining application log files is essential to analyzing and improving software. All too often, log files are left unencrypted, creating security risks and potentially failing to meet data privacy regulations.

GaraSign allows you to transparently encrypt your application log files without modifying the application code. By injecting itself at the appropriate places in the major logging frameworks, GaraSign’s encryption feature is able to encrypt some or all the data being logged in a manner that can only be decrypted by the author of the software. This allows help desk personnel to get the full use of the log files while simultaneously blocking unauthorized users access to its content.

Storing backups with a third-party provider provides a high degree of redundancy. Unfortunately, without proper encryption, the third party could potentially read or manipulate your data. Being able to protect your sensitive data is a critical component of any comprehensive backup strategy.

Using GaraSign, you can sign and encrypt your backups to prevent third parties from reading or altering the data, while the cryptographic keys remain secured in HSMs. This approach is agnostic to which third-party provider is being used to perform the backup and integrates directly into any existing backup processes. Customers wishing to have a higher degree of legal protection can also choose to cryptographically timestamp their backups to prove when the backup was created and verify that the data hasn't been modified since.