Comment Re:Encryption (Score 1) 127
You are mistaken. Security is not something you know, have or are. That's authentication. HSM has nothing to do with authentication. It is key management and secure storage. Your understanding of how an HSM is used is also mistaken. The idea with an HSM is that it does all encryption and decryption operations without ever releasing the key and takes care of requiring proper authorization before performing decryption operations.
When initially configuring an HSM, a key should be created and backed up in a secure manner. The key should be encrypted by one or more additional keys and these keys and final version of the encrypted key should be sent to multiple different secure sites (one key per site). Some redundancy should also be done in case one of the sites is destroyed and each site should only have one key so that all the pieces must be compromised for the key to be compromised.
The final, unencrypted key is loaded in to the HSM. While the server is running, the HSM is authorized from the boot to perform decryption operations. This can be done via a network boot or by direct action when the server boots (the later is more secure but more of a pain). Thus, a running server has access to the HSM and can operate on the data. However, if the server is stolen, the ability the credentials must be entered to unlock the HSM and access the data (credentials which are unavailable) thus the only option is to try and break in to the HSM. Since the hardware is tamper resistant, any mistake will result in the keys being cleared and the encrypted data is protected unless it can be brute forced (effectively impossible as far as we know). If the server is recovered, the backup keys are accessed, the original key is decrypted and reloaded on the HSM and all is back to normal.