Virtual memory extension layer for hardware security modules

What is claimed is: 1. A computer-implemented method for managing cryptographic objects, the method comprising: providing a key management system comprising: a hardware security module (HSM), having a secure memory; an HSM driver, implementing an application programming interface (API), interfaced with the HSM to provide handles to cryptographic objects stored on the secure memory; a shim layer interfaced with the HSM driver, the shim layer configured to enable a client application to interact with the HSM via the HSM driver for the HSM to manage cryptographic objects for the client application, notwithstanding the shim layer; and external memory storage, wherein the external memory storage reside outside the HSM and is interfaced with the shim layer, and at the shim layer: instructing, via the HSM driver, to encrypt cryptographic objects from the HSM and instructing to store the resulting encrypted objects at respective memory locations on the external storage, in order to be able to free up memory space on the secure memory, and instructing to store handles to such cryptographic objects along with references to said respective memory locations, on the external storage, the handles comprising abstract references to said cryptographic objects, usable by application software to reference a corresponding one of the cryptographic objects, the application software being reminded that the corresponding one of the cryptographic objects is in fact managed by and stored inside the HSM; wherein the method further comprises monitoring a memory available on the secure memory, whereby instructing to encrypt the cryptographic objects and store handles thereto is carried out dependent on the monitored memory; and wherein instructing to encrypt the cryptographic objects and store handles thereto is carried out dependent on the monitored memory being less than a first threshold, further comprising deleting an oldest one of said cryptographic objects, already stored in said external storage, from said secure memory of said HSM, based on said monitored memory also being less than a second threshold, lower than said first threshold. 2. The method according to claim 1 , wherein this available memory is monitored by the shim layer. 3. The method according to claim 1 , wherein at deleting, the deletion of the cryptographic objects is deferred for a time period determined based on the monitored memory. 4. The method according to claim 1 , wherein the method further comprises, at the shim layer, monitoring ones of the handles provided by the HSM driver, wherein such ones of the handles include, on the one hand, first handles to cryptographic objects currently stored on the secure memory and, on the other hand, second handles to cryptographic objects currently stored on the external storage. 5. The method according to claim 1 , wherein said HSM driver is a standard, platform-independent application programming interface library. 6. The method according to claim 1 , wherein said cryptographic objects comprise one or each of: cryptographic keys, including symmetric keys and/or asymmetric keys; and initialization vectors. 7. A computer-implemented method for managing cryptographic objects, the method comprising: providing a key management system comprising: a hardware security module (HSM), having a secure memory; an HSM driver, implementing an application programming interface (API), interfaced with the HSM to provide handles to cryptographic objects stored on the secure memory; a shim layer interfaced with the HSM driver, the shim layer configured to enable a client application to interact with the HSM via the HSM driver for the HSM to manage cryptographic objects for the client application, notwithstanding the shim layer; and external memory storage, wherein the external memory storage reside outside the HSM and is interfaced with the shim layer, and at the shim layer: instructing, via the HSM driver, to encrypt cryptographic objects from the HSM and instructing to store the resulting encrypted objects at respective memory locations on the external storage, in order to be able to free up memory space on the secure memory, instructing to store handles to such cryptographic objects along with references to said respective memory locations, on the external storage; monitoring ones of the handles provided by the HSM driver, wherein such ones of the handles include, on the one hand, first handles to cryptographic objects currently stored on the secure memory and, on the other hand, second handles to cryptographic objects currently stored on the external storage; wherein: monitoring said ones of the handles comprises intercepting calls made by the client application to the HSM driver; and the method further comprises, at the shim layer and for each call of the intercepted calls, retrieving a cryptographic object referenced in said each call by comparing a corresponding handle in said each call to handles as monitored at the shim layer. 8. The method according to claim 7 , wherein retrieving said cryptographic objects further comprises, for said each call, determining whether the cryptographic object referenced in said each call is currently stored on the secure memory or stored encrypted on the external storage, by comparing the corresponding handle to handles as monitored at the shim layer. 9. The method according to claim 8 , wherein the method further comprises, if it is determined that the referenced object is currently stored on the secure memory, forwarding said each call to the HSM via the HSM driver for the HSM to provide the cryptographic object as referenced in said each call. 10. The method according to claim 8 , wherein the method further comprises, if it is determined that the referenced object is currently stored encrypted on the external storage: identifying, on the external storage, a reference associated to a handle corresponding to the referenced object, and obtain the encrypted object as stored at a memory location corresponding to the identified reference; decrypting the object obtained for it to be stored on the HSM; and after having stored the decrypted object on the HSM, forwarding said each call to the HSM for it to provide the cryptographic object as referenced in said each call. 11. The method according to claim 10 , wherein encrypting and decrypting a cryptographic object is carried out under control of the shim layer, whereby the latter instructs the HSM driver to cause the HSM to use one or more cryptographic keys available at the HSM, in order to encrypt and decrypt said cryptographic object. 12. A computer-implemented method for managing cryptographic objects, the method comprising: providing a key management system comprising: a hardware security module (HSM), having a secure memory; an HSM driver, implementing an application programming interface (API), interfaced with the HSM to provide handles to cryptographic objects stored on the secure memory; a shim layer interfaced with the HSM driver, the shim layer configured to enable a client application to interact with the HSM via the HSM driver for the HSM to manage cryptographic objects for the client application, notwithstanding the shim layer; and external memory storage, wherein the external memory storage reside outside the HSM and is interfaced with the shim layer, and at the shim layer: instructing, via the HSM driver, to encrypt cryptographic objects from the HSM and instructing to store the resulting encrypted objects at respective memory locations on the external storage, in order to be able to free up memory space on the secure memory, instructing to