Amazon CloudHSM security dubt


Hello, Basically, as I understand it, physical HSMs are managed by a team of people who have physical key to reset the HSM itself. That is, these people, let's say there are 3 of them, have 3 keys and each of them is needed to start or reset the HSM. In the cloud, however, for example with Amazon's CloudHSM, how does this happen? Why can't Amazon take the content in our CloudHSM? This team of people doesn't exist, so they still have full control of our encryption keys. Who has the CloudHSM primary key? Am I right? What am I missing?

Thank you very much

2 Answers

Main keys for HSM are established when a cluster is allocated and the customer establishes a Crypto Officer. The CloudHSM service infrastructure and no one at AWS have any access to the main key (or any keys protected by that key) because the CO credentials are known only to the customer.

Cluster management and backup are managed with an additional key which allows back up and recovery of HSM main keys and configurations without exposing keys to AWS. This is detailed in:

answered 2 years ago
  • The CO credentials are only known to the customer, but AWS may save them somewhere before they are forwarded to the HSM. No? Is this possible?


When you provision a CloudHSM cluster, there are several user types:

Precrypto Officer (PRECO) - Default administrator when you provision CloudHSM. Disappears once you create your first user.

(Primary) Crypto Officer (PCO and CO) - First user is the PCO who can then provision other COs. PCO and COs have the same permissions. They perform user management and that's all.

Crypto User (CU) - can do:

  • Key management - create, delete, share, import & export cryptographic keys
  • Cryptographic operations - use keys for encryption, decryption, signing, verifying etc.

Appliance User (AU) - can perform cloning and synchronisation operations. Cloud HSM uses the AU to synchronise the HSMs in a cluster. The AU exists on all HSMs and has limited permissions.

Setup of your cluster involves a number of steps including verifying authenticity, signing the cluster CSR (Certificate Signing Request), setting up a cluster management instance and running the HSM command-line management utility on it.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions