Hello,
This question is related to Cloud HSM cluster initialization process and usage of the private key once cluster is initialized.
What is the usage of the private key which was used to the sign the cluster CSR ? Based on https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr, once we signed the CSR, we have to secure the private key to the secure storage (offline HSM). If you can demonstrate that you own the key, you can also demonstrate that you own the cluster and the data it contains.
Documentation says that this private key will not be used for Cloud HSM operations except only for specific purposes such as restoring from a backup however Cluster Backup and Restore process mentioned on https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-cluster-from-backup.html doesn't mention the usage of private key to restore the cluster from a backup.
I am confused here if the private key has been used in the backup process or not? If yes, then I foresee some security challenges and concerns to connect offline HSM with AWS platform to make usage of the private key in a back up operation? How can I expose the previously secured private key in a offline HSM to the AWS platform?
Please clarify the usage of Cloud HSM cluster signing private key here.
Thanks
