Cloud HSM: Difference between revisions
From Cramsession
Jump to navigationJump to search
✍️ Verified Author: Mflavell • Click to view professional profile & credentials
No edit summary |
|||
| (3 intermediate revisions by the same user not shown) | |||
| Line 30: | Line 30: | ||
* Managed by AWS. | * Managed by AWS. | ||
* Integrates with AWS services. | * Integrates with AWS services. | ||
= Cloud HSM Use cases = | = Cloud HSM Use cases = | ||
| Line 38: | Line 40: | ||
* Code signing. | * Code signing. | ||
* High security applications. | * High security applications. | ||
= HSM Users = | |||
pre crypto office user (PRECO): | |||
* Has a default username and password. | |||
* Used for the initcal connection to the HSM. | |||
* It can only change it's own password and has read only HSM acccess. | |||
Crypto Office User (CO): | |||
* Has more permissions than PEECO | |||
* Can perform management tasks | |||
:* Creation and deletion of users | |||
:* password changes | |||
:* Admin fuctions such as: | |||
::*Zerosise (whipe) the HSM | |||
::*Ideifity the numebr of HSM | |||
::*Optain metadata | |||
::*View the sync status. | |||
Crpto User (CU): | |||
* Can perform functions within the CloudHSM. | |||
:* Encryption and decryption | |||
:* Key management | |||
:* Veritiying and signing. | |||
:* Generating digests for Keyed Has Message Authentication (HMACs). | |||
Appliance user: | |||
* Exists on all HSM | |||
:* Used for cloding and sync actions | |||
:* Has the same permissions as a CO but cannot manage users. | |||
=Cloud HSM advantages= | |||
* Provides the highest level of control over keys. | |||
:* Tamper resistant | |||
:* May be required for compliance (EG FIPS 140-2 level 3) | |||
* Direct control over HSM applications. | |||
=When to use KMS instead= | |||
* easy integration. | |||
* if fine graned control is required. | |||
* Salability is required. | |||
Latest revision as of 02:03, 9 June 2025
Overview
- This is a managed services for data encryption.
- HSM = Hardware Security Module [1]
- Validated to FIPS 140-2 Level 3
- Generate encryption keys
A cloud HSM is a custom keystore.
- Allows the storage of keys outside the KMS in side the CloudHSM cluster.
- Useful if the key material cannot be stored in a shared environment.
Cloud HSM is deployed as a cluster:
- The default size is 6 per account per region.
- Cloud HSM manages key synchronizations for you.
Cloud HSM features
- High availability.
- Load balancing.
- Replication.
- Scaling.
- Managed by AWS.
- Integrates with AWS services.
Cloud HSM Use cases
- Key management in tamper resistant hardware.
- Curtail in PKI systems.
- Digital rights management - copyright laws.
- Code signing.
- High security applications.
HSM Users
pre crypto office user (PRECO):
- Has a default username and password.
- Used for the initcal connection to the HSM.
- It can only change it's own password and has read only HSM acccess.
Crypto Office User (CO):
- Has more permissions than PEECO
- Can perform management tasks
- Creation and deletion of users
- password changes
- Admin fuctions such as:
- Zerosise (whipe) the HSM
- Ideifity the numebr of HSM
- Optain metadata
- View the sync status.
Crpto User (CU):
- Can perform functions within the CloudHSM.
- Encryption and decryption
- Key management
- Veritiying and signing.
- Generating digests for Keyed Has Message Authentication (HMACs).
Appliance user:
- Exists on all HSM
- Used for cloding and sync actions
- Has the same permissions as a CO but cannot manage users.
Cloud HSM advantages
- Provides the highest level of control over keys.
- Tamper resistant
- May be required for compliance (EG FIPS 140-2 level 3)
- Direct control over HSM applications.
When to use KMS instead
- easy integration.
- if fine graned control is required.
- Salability is required.
