diff --git a/tf/environments/prod/main.tf b/tf/environments/prod/main.tf
index 7374dae0..f572f467 100644
--- a/tf/environments/prod/main.tf
+++ b/tf/environments/prod/main.tf
@@ -122,6 +122,8 @@ module "network" {
 
   aws_availability_zones_available = data.aws_availability_zones.available
 
+  enable_codesign_network = true
+
   depends_on = [module.adm_iam_roles]
 }
 
@@ -563,3 +565,14 @@ module "oonith_oohelperd" {
     { Name = "ooni-tier0-oohelperd" }
   )
 }
+
+## Code signing setup
+
+module "codesigning" {
+  source = "../../modules/cloudhsm"
+
+  vpc_id            = module.network.vpc_id
+  subnet_id         = module.network.vpc_subnet_cloudhsm[0].id
+  subnet_cidr_block = module.network.vpc_subnet_cloudhsm[0].cidr_block
+  key_name          = module.adm_iam_roles.oonidevops_key_name
+}
diff --git a/tf/modules/cloudhsm/main.tf b/tf/modules/cloudhsm/main.tf
new file mode 100644
index 00000000..77bf4f02
--- /dev/null
+++ b/tf/modules/cloudhsm/main.tf
@@ -0,0 +1,64 @@
+resource "aws_cloudhsm_v2_cluster" "hsm" {
+  hsm_type   = "hsm1.medium"
+  subnet_ids = [var.subnet_id]
+
+  tags = var.tags
+}
+
+resource "aws_security_group" "hsm" {
+  vpc_id = var.vpc_id
+
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    from_port   = 2223 # Port for CloudHSM
+    to_port     = 2225
+    protocol    = "tcp"
+    cidr_blocks = [var.subnet_cidr_block]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+data "aws_ami" "amazon_linux" {
+  most_recent = true
+
+  filter {
+    name   = "name"
+    values = ["debian-12-amd64-*"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+
+  owners = ["136693071363"] # Debian's official AWS account ID
+}
+
+resource "aws_instance" "codesign_box" {
+  ami = data.aws_ami.amazon_linux.id
+
+  instance_type   = "t3.micro"
+  subnet_id       = var.subnet_id
+  security_groups = [aws_security_group.hsm.name]
+
+  user_data = <<-EOF
+                #!/bin/bash
+                sudo yum update -y
+                sudo yum install -y amazon-cloudhsm-cli
+                sudo amazon-linux-extras install -y epel
+                sudo yum install -y openssl
+                sudo yum install -y engine_pkcs11 opensc
+                EOF
+}
diff --git a/tf/modules/cloudhsm/outputs.tf b/tf/modules/cloudhsm/outputs.tf
new file mode 100644
index 00000000..31b57097
--- /dev/null
+++ b/tf/modules/cloudhsm/outputs.tf
@@ -0,0 +1,3 @@
+output "cloudhsm_cluster_id" {
+  value = aws_cloudhsm_v2_cluster.hsm.id
+}
diff --git a/tf/modules/cloudhsm/variables.tf b/tf/modules/cloudhsm/variables.tf
new file mode 100644
index 00000000..4939d3bc
--- /dev/null
+++ b/tf/modules/cloudhsm/variables.tf
@@ -0,0 +1,28 @@
+variable "aws_region" {
+  description = "The AWS region to create things in."
+  default     = "eu-central-1"
+}
+
+variable "key_name" {
+  description = "Name of AWS key pair"
+}
+
+variable "vpc_id" {
+  description = "the id of the VPC to deploy the instance into"
+}
+
+variable "subnet_id" {
+  description = "the id of the subnet for the HSM"
+  type        = string
+}
+
+variable "subnet_cidr_block" {
+  description = "the ids of the subnet of the subnets to deploy the instance into"
+  type        = string
+}
+
+variable "tags" {
+  description = "tags to apply to the resources"
+  default     = {}
+  type        = map(string)
+}
diff --git a/tf/modules/network/main.tf b/tf/modules/network/main.tf
index 450ef7e7..d1011d3b 100644
--- a/tf/modules/network/main.tf
+++ b/tf/modules/network/main.tf
@@ -1,5 +1,6 @@
 locals {
-  private_net_offset = 100
+  private_net_offset  = 100
+  cloudhsm_net_offset = 200
 }
 
 resource "aws_vpc" "main" {
@@ -58,6 +59,25 @@ resource "aws_subnet" "private" {
   }
 }
 
+resource "aws_subnet" "cloudhsm" {
+  count      = var.enable_codesign_network ? 1 : 0
+  cidr_block = cidrsubnet(aws_vpc.main.cidr_block, 8, local.cloudhsm_net_offset)
+
+  availability_zone       = var.aws_availability_zones_available.names[0]
+  vpc_id                  = aws_vpc.main.id
+  map_public_ip_on_launch = false
+
+  depends_on = [aws_internet_gateway.gw]
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = {
+    Name = "ooni-cloudhsm-subnet-0"
+  }
+}
+
 resource "aws_eip" "nat" {
   count      = var.az_count
   domain     = "vpc"
diff --git a/tf/modules/network/outputs.tf b/tf/modules/network/outputs.tf
index 5f1844a3..555991dd 100644
--- a/tf/modules/network/outputs.tf
+++ b/tf/modules/network/outputs.tf
@@ -4,11 +4,16 @@ output "vpc_id" {
 }
 
 output "vpc_subnet_public" {
-  description = "The value of the subnet associated to the VPC"
+  description = "The value of the public subnet associated to the VPC"
   value       = aws_subnet.public
 }
 
 output "vpc_subnet_private" {
-  description = "The value of the subnet associated to the VPC"
+  description = "The value of the private subnet associated to the VPC"
   value       = aws_subnet.private
 }
+
+output "vpc_subnet_cloudhsm" {
+  description = "The value of the cloudhsm subnet associated to the VPC"
+  value       = aws_subnet.cloudhsm
+}
diff --git a/tf/modules/network/variables.tf b/tf/modules/network/variables.tf
index 4410ab13..1416be87 100644
--- a/tf/modules/network/variables.tf
+++ b/tf/modules/network/variables.tf
@@ -19,3 +19,8 @@ variable "tags" {
   type        = map(string)
 }
 
+variable "enable_codesign_network" {
+  description = "Enable codesign network"
+  default     = false
+  type        = bool
+}