Bookmarks
A computing device that enables you to provision and manage your own single-tenant HSMs for the generation and use of encryption keys.
A hardware security module (HSM) performs cryptographic operations and provides secure storage for cryptographic keys.
You can perform the following cryptographic tasks:
Generate, store, import, export, and manage cryptographic keys.
Use symmetric and asymmetric algorithms to encrypt and decrypt your data.
Compute message digests and hash-based message authentication codes using cryptographic hash functions.
Cryptographically sign data and verify signatures.
You can generate cryptographically secure random data.
Use Case
Offload SSL/TLS processing for web servers.
Protect private keys for an issuing certificate authority (CA).
Enable transparent data encryption (TDE) for Oracle databases.
Concepts
Clusters
A collection of individual HSMs.
Other HSMs are automatically kept up to date, when you perform a task on one HSM in a cluster.
You can create a cluster that has 1 to 28 HSM and place the HSMs in different AZs in a region.
Cluster provides higher performance as you add more HSMs.
When you add a new HSM to a cluster:
AWS CloudHSM backup all the keys, users, and policies on an existing HSM.
Restores the backup onto the new HSM to keep HSMs in sync.
Supports cluster load balancing.
Backups
You can do periodic backups of users, keys, and policies in your cluster.
Backups are stored in an S3 bucket in the same region as your cluster.
Default backup retention policy for a cluster is 90 days.
You can only restore backups onto AWS-owned HSMs made by the same manufacturer.
Supports copying of backups across AWS regions.
The HSM encrypts all data using ephemeral backup key (EBK) before sending it to CloudHSM.
To encrypt the EBK, the HSM will use a persistent backup key (PBK).
Generate a PBK with a key derivation function (KDF). The inputs to the KDF include the following:
Manufacturer key backup key (MKBK)
AWS key backup key (AKBK)
HSM users
HSM users are distinct from IAM users.
To create and manage users on HSM, you need a CloudHSM Management Utility (CMU).
An HSM user has a type that defines which operations they can perform on HSM.
Precrypto officer (PRECO) – temporary user on the first HSM in a cluster.
Crypto officer (CO | PCO) – performs user management operations and supports 2FA.
Crypto user (CU) – performs key management and cryptographic operations.
Appliance user (AU) – performs cloning and synchronization operations.
Supports quorum authentication.
Keys
Only a CU can create a key in CloudHSM.
You can use the following to manage keys on HSM:
PKCS #11 library
JCE provider
CNG and KSP providers
key_mgmt_util
Use syncKey command in CMU to synchronize keys between clusters.
CLI tools
CloudHSM Management Utility (CMU)
The cloudhsm_mgmt_util helps COs manage users in HSMs.
It also has a command that allows CUs to share keys, get and set key attributes.
Key Management Utility (KMU)
A key_mgmt_util allows CUs to manage keys on HSMs.
Supports tagging of CloudHSM resources.
Monitoring
To monitor diagnostic and troubleshooting information from applications you create, use Client SDK logging.
If you want to monitor API calls like creation & deletion of clusters, HSM, and resource tags, use AWS CloudTrail.
With Amazon CloudWatch, you can monitor the following:
Health of cluster
Logs from HSM instances
Pricing
You are charged per hour for each HSM you launch.
References:
https://aws.amazon.com/cloudhsm/
https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html