The Hardware Security Module (HSM) settings in Ory Hydra can be configured using environment variables or a configuration file. The HSM settings include enabling the HSM, specifying the library path, token label, slot, pin, and key set prefix. Here is an example of how to set these configurations:

bash HSM_ENABLED=true   HSM_LIBRARY=/path/to/hsm-vendor/library.so   HSM_TOKEN_LABEL=hydra   HSM_SLOT=0   HSM_PIN=1234   HSM_KEY_SET_PREFIX=app1.

The token that's denoted by environment variables

HSM_TOKEN_LABEL

or

HSM_SLOT

must preexist and optionally contain RSA (or ECDSA for JWT) key pairs with labels

hydra.openid.id-token

and

hydra.jwt.access-token

depending on configuration. If keys with these labels don't exist, they will be generated upon startup. If both

HSM_TOKEN_LABEL

and

HSM_SLOT

are set,

HSM_TOKEN_LABEL

takes precedence over

HSM_SLOT

. In this case, the first slot that contains this label is used.

HSM_LIBRARY

must point to a vendor-specific PKCS#11 library or SoftHSM library.

HSM_KEY_SET_PREFIX

can be used in case of multiple Ory Hydra instances need to store keys on the same HSM partition. For more information on configuration options, you can visit the [configuration reference](https://www.ory.sh/hydra/docs/reference/configuration). Source: [Hardware Security Module Configuration](https://www.ory.sh/docs/hydra/self-hosted/hsm-support#hardware-security-module-configuration)