On highly sensitive KNX Secure installations (strategic sites, defence buildings), the keyring keys can be stored in a Hardware Security Module (HSM) attached to ETS, guaranteeing that the keys never leave the secure hardware even during download operations.

An HSM is a certified hardware device (typically FIPS 140-2 level 3 or above) that stores cryptographic keys with several protections: true random key generation (TRNG), crypto operations executed in protected memory (the key is never in the clear in ETS RAM), tamper-evident audit logging and physical tamper detection. A USB HSM costs roughly 500-5000 euros and is reserved for high-security sites: banking, defence and critical infrastructure. It is standard practice in those sectors, exotic everywhere else.

The vast majority of KNX Secure installs do NOT need an HSM — the encrypted ETS keyring suffices in 99 % of cases. If you do deploy one, plan the PIN/recovery procedure before deployment: a lost HSM credential under FIPS 140-2 level 3 is genuinely unrecoverable, and you will lose access to the keyring permanently.