This article highlights exactly why a HSM may be potentially elegant, but also really really dependant on embedding the process for using it in your operational processes (which would include performing that operation regularly to ensure it still works and that knowledge of its use is retained).

For a 'best effort' hosted internal service, this is not a good choice.