AWS CloudHSM v5.12.0 is a cloud-based HSM service that enables you to easily generate and use your own encryption and signing keys on the AWS CloudHSM. With AWS CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs. AWS CloudHSM provides hardware security modules in the AWS Cloud that performs cryptographic operations and provides secure storage for cryptographic keys.

The AWS CloudHSM is only supported on ADSS Server deployed on Linux systems.

​The details of supported key types and mechanism are available here:


https://docs.aws.amazon.com/cloudhsm/latest/userguide/java-lib-supported.html.


To generate a new AWS CloudHSM profile press the New button in the Crypto Source Screen and select AWS CloudHSM in Crypto Source Type drop down:

For Client Version v3


For Client Version v5

The configuration items are explained below: 

Items

Description

Status

Set the status of this Crypto Profile. If the status is set to Inactive then it cannot be used to generate or read the keys for singing purposes. 

Friendly Name

Specify a friendly name for this service. The name should be unique within this ADSS Server environment.

Crypto Source Vendor

Select AWS CloudHSM from these supported options:

  • Utimaco
  • Thales Luna
  • Entrust nCipher nShield
  • Azure Key Vault
  • AWS CloudHSM

Client Version

This drop-down field enables the user to select the Client SDK version for AWS CloudHSM. Certificates created through AWS CloudHSM will be rekeyed or renewed based on the selected client version. 

Partition Name

Specify the Name of the partition. AWS CloudHSM Partitions are the specified storage areas that reside within the AWS CloudHSM. The AWS CloudHSM can contain multiple HSM partitions, and each partition can be connected to one or more Clients through their credentials.

The Partition Name field will only be available if 'v3' is selected in Client Version drop-down.

User ID

Specify the User ID that needs to connect with AWS CloudHSM. 

User Password

Specify the password for the connecting user as per the above entered User ID.



The table below displays the key sizes supported by the ADSS Server for AWS CloudHSM:


Key Types

Key Lengths

RSA

2048

3072

4096

ECDSA

P-224

P-256

P-384

P-521



​Key Wrapping is not supported in ADSS Server for AWS CloudHSM.

There is no import/export key mechanism supported in ADSS Server from AWS CloudHSM.

AWS CloudHSM is only supported when using ADSS Server deployed on Linux operating systems. This is due to the reliance on third party AWS CloudHSM libraries, that are only available on Linux platforms.

AWS CloudHSM does not support SHA3 Hashing Algorithm.


See also

PKCS#11 Standard

Utimaco CryptoServer CP5 HSM
Thales Luna K7 Cryptographic Module
nCipher nShield Solo XC Cryptographic Module
Azure Key Vault
AWS CloudHSM
Azure Managed HSM
MS-CAPI/CNG
Importing Existing Keys