Cloud HSM

  • Use key, not password
  • Stands for Hardware Security Module
  • Provide temper resistance environment for managing keys
  • Its a dedicated hardware security module
  • Manage your own keys, hence no access to AWS managed services
  • Once key is lost, no way to retrieve it
  • CloudHSM is Level 3 standard (FIPS 140-2 Level 3)
  • KMS is Level 2 standard
  • AWS managed service
  • Runs within VPC
  • Single tenant, dedicated hardware, multi AZ cluster
  • Use industry standard API
  • Required when
  • Need complete control over keys, including the underlying hardware and manage the lifecycle of keys
  • Strict regulatory compliance is needed
  • Level 3 compliance is needed
  • PKCS#11
  • Java Cryptography Extensions
  • Microsoft CryptoNG
  • To keep Cloud HSM backup in secure and durable way
  • Use EBK i.e. Ephemeral Backup Key to encrypt data
  • Use PBK i.e. Persistent Backup Key to encrypt EBK
  • Save the data to S3