# HSM vs MPC vs zero-persistence: a decision framework

> Three models for protecting cryptographic keys, each with honest tradeoffs. Where each one fits, where each one breaks, and how zero-persistence reconstruction sits alongside the established two.

*Primary query: HSM vs MPC. Last updated 2026-04-22.*

There is no universal best choice for protecting cryptographic keys. HSMs, MPC custody, and zero-persistence reconstruction each make different tradeoffs and each fits different workloads. This article maps the three honestly: what each model assumes, what it gives up, and the kinds of workload where each one is the right answer. Treat this as a decision framework, not a marketing comparison.

## What each model actually offers

An HSM offers a hardened boundary around a long-lived key. Strengths: certified tamper resistance, well-understood operational model, broad standards support. Weaknesses: the key persists for years inside the boundary, the boundary is a known target, and the operator with administrative access to the HSM cluster is a single point of catastrophic compromise.

MPC custody offers distribution of trust across operators. Strengths: no single operator holds the whole key, removes a class of single-point compromises, fits institutional governance. Weaknesses: shares persist at rest across the operator estate, the recombination step is a real surface, and the security model degrades to operator-trust under collusion.

Zero-persistence reconstruction offers the absence of a key at rest. Strengths: nothing to harvest, insider non-possession, algorithm agility, recovery flow identical to signing flow. Weaknesses: requires a quorum of recovery agents (operational dependency), benefits are largest when the workload tolerates per-operation reconstruction latency.

## How they compose, not compete

In practice the three models layer well. The secure element used for zero-persistence reconstruction is itself a hardened HSM-class device, Phantom Secrets™ runs as a software layer on top of FIPS-certified hardware. The threshold primitive used for the on-demand derivation is the same threshold cryptography the MPC vendors built their products around, the difference is whether the shares persist between operations.

The decision is rarely 'replace HSMs with X'. It is more often 'where is a key currently sitting between operations, and could it not?'. For most signing and decryption workloads the answer is that the key does not need to persist, and the cleanest model is to stop persisting it.

## Side by side

| Dimension | Conventional approach | Zero-persistence reconstruction |
| --- | --- | --- |
| Material at rest | HSM: the key. MPC: the shares. | Public Regen Tokens only |
| Insider compromise | HSM: catastrophic. MPC: bounded by threshold. | Bounded by quorum; no key exfiltration |
| Per-operation latency | HSM: low. MPC: medium. | Medium (quorum + secure element) |
| Regulatory acceptance | HSM: extensive. MPC: growing. | Maps naturally onto safeguarding obligations |
| Crypto-agility | HSM: per-device upgrades. MPC: per-protocol. | Runtime swap |
| Backup/recovery | HSM: backup ceremonies. MPC: re-share ceremonies. | Same primitive as signing |

## What this looks like in practice

- **A payment processor running per-transaction MAC keys** keeps an HSM cluster for line-rate symmetric operations and adds zero-persistence reconstruction for the higher-value MAC roots that previously sat inside the HSM long-term.
- **A digital-asset custodian on MPC** augments the existing MPC cluster with zero-persistence reconstruction so that the share-store stops being the multi-year target while the operational shape of the platform stays the same.
- **A new fintech with no legacy** skips the HSM-cluster build-out and starts on zero-persistence reconstruction with a small recovery-agent quorum, sized to the workload from day one.

## Related Lokblok material

- [Phantom Secrets™ as a layer over existing HSMs](https://www.lokblok.co/solutions/hsm-providers)
- [the underlying threshold-reconstruction architecture](https://www.lokblok.co/architecture)
- [Toughkey™ as the certified secure element](https://www.lokblok.co/products/toughkey)

## FAQ

### When is an HSM still the right answer?

When the workload requires extremely low-latency symmetric operations at line rate, when standards mandate a specific certified module, or when integration cost into legacy systems makes anything else uneconomic. The HSM remains the right choice for those workloads, and zero-persistence reconstruction can sit alongside it for the keys that do not need to persist.

### Is MPC custody obsolete?

No. MPC custody is a meaningful improvement over single-operator key storage and a fit for institutional governance models. The honest framing is that MPC distributes a custody problem; zero-persistence reconstruction removes one. Mature programs often run both during a multi-year migration.

### Can I run zero-persistence reconstruction on an existing HSM?

Yes. Phantom Secrets™ runs as a software layer on top of FIPS-certified secure elements, including HSMs from major vendors. The HSM remains the certified hardware boundary; the runtime layer adds the zero-persistence behaviour on top.

### What does the migration path look like?

Identify the keys that genuinely need to persist (rare) and the keys that only need to exist at the moment of use (most). Move the latter to zero-persistence reconstruction in a parallel path, validate the operational and audit shape, then ramp down the persistent equivalents. The HSM and MPC investments are not wasted, they continue to serve the operations that need them.

## Related insights

- [Alternatives to MPC custody: when threshold key shares are still keys](https://www.lokblok.co/insights/alternatives-to-mpc-custody)
- [Post-quantum key management: why algorithms aren't enough](https://www.lokblok.co/insights/post-quantum-key-management)