Overview

• This is a managed services for data encryption.

• HSM = Hardware Security Module [1]
• Validated to FIPS 140-2 Level 3
• Generate encryption keys

A cloud HSM is a custom keystore.

• Allows the storage of keys outside the KMS in side the CloudHSM cluster.

• Useful if the key material cannot be stored in a shared environment.

Cloud HSM is deployed as a cluster:

• The default size is 6 per account per region.
• Cloud HSM manages key synchronizations for you.

Cloud HSM features

• High availability.
• Load balancing.
• Replication.
• Scaling.
• Managed by AWS.
• Integrates with AWS services.

Cloud HSM Use cases

• Key management in tamper resistant hardware.
• Curtail in PKI systems.
• Digital rights management - copyright laws.
• Code signing.
• High security applications.

HSM Users

pre crypto office user (PRECO):

• Has a default username and password.
• Used for the initcal connection to the HSM.
• It can only change it's own password and has read only HSM acccess.

Crypto Office User (CO):

• Has more permissions than PEECO
• Can perform management tasks

• Creation and deletion of users
• password changes
• Admin fuctions such as:

• Zerosise (whipe) the HSM
• Ideifity the numebr of HSM
• Optain metadata
• View the sync status.

Crpto User (CU):

• Can perform functions within the CloudHSM.

• Encryption and decryption
• Key management
• Veritiying and signing.
• Generating digests for Keyed Has Message Authentication (HMACs).

Appliance user:

• Exists on all HSM

• Used for cloding and sync actions
• Has the same permissions as a CO but cannot manage users.

Cloud HSM advantages

• Provides the highest level of control over keys.

• Tamper resistant
• May be required for compliance (EG FIPS 140-2 level 3)

• Direct control over HSM applications.

When to use KMS instead

• easy integration.
• if fine graned control is required.
• Salability is required.