The security module is the module in privacyIDEA that is responsible for encrypting information. The default security module uses the file /etc/privacyidea/enckey, which is specified in pi.cfg. The enckey contains the encryption keys for encrypting the otp secret keys and also password, like for the LDAP connection. The default security module also allows to encrypt this encryption key file. In such a case the administrator would have to enter the encryption passphrase after starting the privacyIDEA service.
In privacyIDEA 2.12 there will be a new security module to choose from. The PKCS11 security module. PKCS11 is the protocol that is used to talk to cryptographic hardware like smartcards and hardware security modules. With the PKCS11 security module you will be able to keep your encryption keys in hardware and decrypt all sensitive information in hardware. This way there will be no sensitive information located on the privacyIDEA system and you will be able to build even safer authentication systems.
Stay tuned for version 2.12.