YUBICO YubiHSM

It just makes sense to put tight security on the servers that store guarded secrets for all user authentications. If those servers are compromised it means the security of all cryptographic keys and passwords resident on them are compromised - or in other words, a disaster.
YubiHSM is an easy, affordable and secure protection of authentication secrets stored on the authentication or key server. The device protects data at rest against remotely conducted intrusion attacks and internal threats like employees copying secrets. YubiHSM features a secure element and a small nano design with a molded plastic harness.

• Easy and affordable
  The YubiHSM installation does not require any specialized setup and it is quickly configured as it requires no additional drivers or software to use. It consumes less than 0.2W being quite affordable.
• Encrypts and protects secrets
  The YubiHSM is configured by default to support Yubico's OTP validation, but can be configured to handle AES encryption/decryption, secure comparison of decrypted data or HMAC-SHA1 validation with the key stored on the YubiHSM. In addition, it can be used to generate truly random numbers derived from the physical characteristics of the computer and USB port to which it is attached.
• Securing Yubico OTP secrets
  The YubiHSM processes the encryption, decryption, and storage of keys. When called to validate a Yubico OTP, it will load the OTP and the associated encrypted key into its onboard processor and perform the decryption and comparison. Subsequently, it will only pass the validation results and associated data (such as usage counters) back to the host machine; the decrypted key and plaintext OTP never leave the YubiHSM hardware. This provides a great level of security for secrets, should an authentication server become compromised - the secrets themselves remain secure in the YubiHSM hardware, encrypted with a 128-bit AES key.