Re: H/W vs S/W vs cloud
Doing this in the clown can actually be secure. Kind of, atleast. The trick is to have the HSM that keeps the keys also authenticate the user. Presumably with some sort of OTP/token scheme - presenting one OTP to the HSM means you get it to sign one hash for you.