AWS CloudHSM
AWS CloudHSM 5.12.0 is a cloud-based HSM service that enables you to easily generate and use your own encryption and signing keys on the AWS CloudHSM. With AWS CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs. AWS CloudHSM provides hardware security modules in the AWS Cloud that performs cryptographic operations and provides secure storage for cryptographic keys.
The AWS CloudHSM is only supported on ADSS Server deployed on Linux systems.
|
|
The details of supported key types and mechanism are available here: https://docs.aws.amazon.com/cloudhsm/latest/userguide/java-lib-supported.html. |
To generate a new AWS CloudHSM profile press the New button in the Crypto Source Screen and select AWS CloudHSM in Crypto Source Type drop down:
For Client Version v3
The below screen shows the Profile Identification details for the crypto source:
Once done, the below screen will display the Profile Setting details for client version v3:
For Client Version v5
The below screen displays the Profile Setting details for client version v5:
The configuration items are explained below:
|
Items |
Description |
|
Status |
Set the status of this Crypto Profile. If the status is set to Inactive then it cannot be used to generate or read the keys for singing purposes. |
|
Friendly Name |
Specify a friendly name for this service. The name should be unique within this ADSS Server environment. |
|
Crypto Source Vendor |
Select AWS CloudHSM from these supported options:
|
|
Client Version |
This drop-down field enables the user to select the Client SDK version for AWS CloudHSM. Certificates created through AWS CloudHSM will be rekeyed or renewed based on the selected client version. |
|
Partition Name |
Specify the Name of the partition. AWS CloudHSM Partitions are the specified storage areas that reside within the AWS CloudHSM. The AWS CloudHSM can contain multiple HSM partitions, and each partition can be connected to one or more Clients through their credentials. |
|
User ID |
Specify the User ID that needs to connect with AWS CloudHSM. |
|
User Password |
Specify the password for the connecting user as per the above entered User ID. |
The table below displays the key sizes supported by the ADSS Server for AWS CloudHSM:
|
Key Types |
Key Lengths |
|
RSA |
2048 |
|
3072 |
|
|
4096 |
|
|
ECDSA |
P-224 |
|
P-256 |
|
|
P-384 |
|
|
P-521 |
|
|
Key Wrapping is not supported in ADSS Server for AWS CloudHSM. |
|
|
There is no import/export key mechanism supported in ADSS Server from AWS CloudHSM. |
|
|
AWS CloudHSM is only supported when using ADSS Server deployed on Linux operating systems. This is due to the reliance on third party AWS CloudHSM libraries, that are only available on Linux platforms. |
See also
Utimaco CryptoServer CP5 HSM
Thales Luna K7 Cryptographic Module
nCipher nShield Solo XC Cryptographic Module
Azure Key Vault
AWS CloudHSM