AWS CloudHSM - prevent extraction of key material through JCE
Recently our team started looking into AWS CloudHSM to handle a custom workload where for regulatory reasons we need to ensure we meet all FIPS 140-2 level 3 requirements.
We have been very successfully using KMS with our AWS services and regularly report in our audits and findings that a key feature of KMS is that the key material never leaves the KMS backing store. As a result we were surprised to learn that AWS CloudHSM allows extraction of the key material via API calls from the JCE Provider (we’re a mostly Java shop). Is there a way to ensure that developers don’t write code to extract raw key material from the HSM?
- Newest
- Most votes
- Most comments
In order to extract the cleartext key material for a private key two key attributes must be set by the key owner: EXTRACTABLE = true and WRAP_WITH_TRUSTED = false. Note that the key owner (CU who created the key) sets these values at creation and is the only one who can modify them. Users that the key has been shared with cannot change these attributes. Therefore only the CU who created (and therefore owns) the key can ensure that the material is not exported.
Relevant content
- asked a year ago
- asked 9 months ago
AWS OFFICIALUpdated 3 years ago- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 3 years ago
