Browse through the questions and answers listed below or filter and sort to narrow down your results.
Is there any usage of private key after AWS Cloud HSM cluster is initialized?
Hello, This question is related to Cloud HSM cluster initialization process and usage of the private key once cluster is initialized. What is the usage of the private key which was used to the sign the cluster CSR ? Based on https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr, once we signed the CSR, we have to secure the private key to the secure storage (offline HSM). If you can demonstrate that you own the key, you can also demonstrate that you own the cluster and the data it contains. Documentation says that this private key will not be used for Cloud HSM operations except only for specific purposes such as restoring from a backup however Cluster Backup and Restore process mentioned on https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-cluster-from-backup.html doesn't mention the usage of private key to restore the cluster from a backup. I am confused here if the private key has been used in the backup process or not? If yes, then I foresee some security challenges and concerns to connect offline HSM with AWS platform to make usage of the private key in a back up operation? How can I expose the previously secured private key in a offline HSM to the AWS platform? Please clarify the usage of Cloud HSM cluster signing private key here. Thanks
CloudHSM Key Hierarchy
In simple terms, what is the key hierarchy in CloudHSM for actually encrypting data. I found this very easily for AWS KMS...... Domain Key > HBK/KMS Key > Data encryption Key (with exportable key tokens in the mix). I can find no similar explanation in the literature for CloudHSM. I have gone through blogs, user guide, FAQs etc. What's the top key and how does it work it's way down in the envelope process from there. If this can be found in a link it would be great if someone could pass it along. I have been looking for quite some time. Thanks.
RSA 4096 Private Key Import to HSM using key_mgmt_util
Using Amazon Linux 2 HSM client with a working HSM cluster I am having trouble using this command: ``` importPrivateKey -f rsa4096.key -l triactaRootCAPrivateKey -w 1835014 Enter PEM pass phrase: failed to read private key from file ``` I am able to verify this key with openssl that the **passphrase is correct**. What am I potentially doing wrong? Are there logs or other way to find out more about this error message.
Using CloudHSM with Authenticode cert from VPN-connected desktop not EC2?
DigiCert is dropping support for older code signing using a local PEM file: "Starting on November 15, 2022, at 00:00 UTC, industry standards will require private keys for OV code signing certificates to be stored on hardware certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent." This explains how to use CloudHSM with a Windows Server EC2 instance - https://aws.amazon.com/blogs/security/signing-executables-with-hsm-backed-certificates-using-multiple-windows-instances/ But what about our developers who need to use SignTool and InstallShield for code-signing on their local desktops? Can they connect to the CloudHSM cluster using a VPN into a VPC? Would they use AWS KMS? A follow up blog or any pointers would be very helpful
AWS Cloud HSM: Client SDK 5: Isn't SDK 5 supports RSA Wrap and Unwrap?
Hello community, I am looking for Cloud HSM JCE based HSM connection. One of my requirements is to generate Plain AES key and Wrap it with RSA key. This is to implement something similar to what is called "Envelope Encryption" - https://www.google.com/search?q=envelope+encryption&rlz=1C5GCEM_enUS984US984&oq=envelope+en&aqs=chrome.2.69i57j35i39j0i512j0i20i263i512j0i512l3j69i60.21307j0j4&sourceid=chrome&ie=UTF-8. What I am founding is that RSA wrap Unwrap code samples presents in SDK 3 code - https://github.com/aws-samples/aws-cloudhsm-jce-examples/blob/master/src/main/java/com/amazonaws/cloudhsm/examples/RSAWrappingRunner.java. HOWEVER THIS IS NOT PRESENT IN SDK 5 code. Does that mean SDK 5 does not support AES RSA WRAP UNWRAP. I have tried running this with SDK 5 and getting "UNSUPPORTED OPERATION EXCEPTION" which strengthen my doubt. PLEASE CONFIRM. If this is true, then when it be supported? I want to use latest SDK provided that it can have more fixes on top of what SDK 3 already has.
Cloudhsm mgmt util - partition owner certificate error
I am testing out the cloudhsm and setting it up on a EC2 Win2019 server. I get the following error when I run the cloudhsm mgmt util to connect the server to the cloud HSM: ``` PS C:\Program Files\Amazon\CloudHSM> .\cloudhsm_mgmt_util.exe C:\ProgramData\Amazon\CloudHSM\data\cloudhsm_mgmt_util.cfg Ignoring E2E enable flag in the configuration file Connecting to the server(s), it may take time depending on the server(s) load, please wait... Connecting to server '172.xx.xx.xx': hostname '172.xx.xx.xx', port 2225... Connected to server '172.xx.xx.xx': hostname '172.xx.xx.xx', port 2225. C:\ProgramData\Amazon\CloudHSM\customerCA.crt, partition owner certificate not exist at given path Server 0(172.xx.xx.xx) is in unencrypted mode now... running in limited commands mode Error: partition owner certificate doesn't exist at given path. Failed to create client ssl ctx E2E Session failed: E2E setup failed Enabling E2E failed aws-cloudhsm>quit disconnecting from servers, please wait... PS C:\Program Files\Amazon\CloudHSM> ls Directory: C:\Program Files\Amazon\CloudHSM Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 6/2/2022 2:17 PM tools -a---- 12/30/2021 8:47 PM 18019 client_info -a---- 12/30/2021 9:18 PM 5475875 client_info.exe -a---- 12/30/2021 9:16 PM 2680320 cloudhsm_client.exe -a---- 12/30/2021 8:47 PM 24373 CLOUDHSM_LICENSE -a---- 12/30/2021 9:16 PM 2541056 cloudhsm_mgmt_util.exe -a---- 12/30/2021 9:16 PM 10240 cng_config.exe -a---- 12/30/2021 9:17 PM 5489038 configure.exe -a---- 6/2/2022 2:18 PM 1416 CustomerCA.crt -a---- 12/30/2021 9:17 PM 188416 import_key.exe -a---- 12/30/2021 9:17 PM 1641472 key_mgmt_util.exe -a---- 12/30/2021 9:16 PM 10240 ksp_config.exe -a---- 12/30/2021 9:17 PM 1417216 pkpspeed_blocking.exe PS C:\Program Files\Amazon\CloudHSM> ``` I have copied as per the manual the self signed root ca I created to sign the HSM cluster when initializing.. not sure what this partition certificate error is.
How do AWS services access/authenticate/authorize to CloudHSM?
Are AWS services assigned IAM roles that allow them to access the CloudHSM API....and then use the CloudHSM client Crypto User account to complete their task encrypt/decrypt task? If no, how does an AWS service access CloudHSM? If unlike, AWS KMS, lots of services do not integrate with CloudHSM, how do they use it? Or, do only a few services use CloudHSM while the ones that integrate with Cloud KMS go that route? Is anyone aware of list of services that integrate with CloudHSM? I've been researching this for two days.
Why Java examples for JCE SDK5 generate KeyPair to encrypt data?
My understanding is, Private Key should never leave HSM cluster. HSM-Client should pass key-handle, Mechanism and payload to the HSM-Server and HSM-Server should encrypt or sign the payload and give it back to the HSM-Client. But the [examples in the official documentation](https://docs.aws.amazon.com/cloudhsm/latest/userguide/java-samples_5.html) generates KeyPair and use actual PrivateKey to encrypt. Please let me know if my understanding is correct and point me to some **Java example** where encryption and signing happens on HSM-Server and not on HSM-Client
Amazon CloudHSM security dubt
Hello, Basically, as I understand it, physical HSMs are managed by a team of people who have physical key to reset the HSM itself. That is, these people, let's say there are 3 of them, have 3 keys and each of them is needed to start or reset the HSM. In the cloud, however, for example with Amazon's CloudHSM, how does this happen? Why can't Amazon take the content in our CloudHSM? This team of people doesn't exist, so they still have full control of our encryption keys. Who has the CloudHSM primary key? Am I right? What am I missing? Thank you very much
Application side data protection with FIPS 140-2 Level 3 : what to use out of Encryption SDK, KMS or Cloud HSM?
Hello there, I do have a requirement in my application to encrypt and decrypt data using a symmetric key algorithm (mostly AES/CBC/PKCS5Padding). CONSTRAINT and Requirements are 1. I need to use FIPS 140-2 Level 3 compliant key storage solution 2. This is an existing encrypted data and hence I should be able to import my existing keys (plain keys) to whatever solution I use. 3. Even in the future, keys should be open for EXPORT so that encrypted data with this new solution WILL NOT require another re-encryption with new keys. Keeping the above points in mind, I came across below solutions so far and need guidance and help if someone finds that not a good solution or it will break any of the above requirements I listed. 1. I can use AWS Encryption SDK with AWS KMS using a custom key store where the custom key store would be my own Cloud HSM. 2. I can directly use Cloud HSM by leveraging standard Cloud HSM integration using Cloud HSM JCE provider and client SDK. 3. I can AWS KMS with KMS API with a custom key store where the custom key store would be my own Cloud HSM. I knew #2 will work without breaking any of my requirement and compliance list but I want to see if I can use Encryption SDK and/or KMS for my use case as I can get help of SDK to choose best industry practices to write cryptography code instead of I write whole code (in case of Cloud HSM integration) but below points will stop me. 1. Custom key stores can not work with imported keys so it will break my requirement #2. 2. I can use AWS Encryption SDK with KMS but as import does not work for custom key stores, it's not usable any more. Can I use AWS Encryption SDK somehow to help me with data encryption directly with Cloud HSM? 3. Data enveloper protection (by AWS Encryption SDK) is really more secure for symmetric key encryption. If I use that today and later want to move to Cloud HSM, will it break the decryption flow? Any suggestion/experience learning/insights or architectural direction is greatly appreciated.
CloudHSM Cavium integration fails with exception during two-way SSL handshake (client-side) in a Java based Lambda
Hi, I am trying to use Cavium in a Java application for two-way SSL handshake. My application is the client application. However when the application runs, the client handshake fails with the following exception: 2022-02-21T18:30:39.152Z java.lang.RuntimeException: com.cavium.cfm2.CFM2Exception: A call to the API getRSAPrivateKeyComponents for size failed with error code ffffffff : Error: new error from underlying FW/SW, might need to upgrade to new SW to decode 2022-02-21T18:30:39.152Z at com.cavium.key.CaviumRSAPrivateKey.populateKeyComponents(CaviumRSAPrivateKey.java:154) 2022-02-21T18:30:39.152Z at com.cavium.key.CaviumRSAPrivateKey.getPrimeP(CaviumRSAPrivateKey.java:82) 2022-02-21T18:30:39.152Z at sun.security.rsa.RSACore.crtCrypt(RSACore.java:168) 2022-02-21T18:30:39.152Z at sun.security.rsa.RSACore.rsa(RSACore.java:122) 2022-02-21T18:30:39.152Z at sun.security.rsa.RSAPSSSignature.engineSign(RSAPSSSignature.java:371) 2022-02-21T18:30:39.152Z at java.security.Signature$Delegate.engineSign(Signature.java:1382) 2022-02-21T18:30:39.152Z at java.security.Signature.sign(Signature.java:698) 2022-02-21T18:30:39.152Z at sun.security.ssl.CertificateVerify$T12CertificateVerifyMessage.<init>(CertificateVerify.java:608) 2022-02-21T18:30:39.152Z at sun.security.ssl.CertificateVerify$T12CertificateVerifyProducer.produce(CertificateVerify.java:760) 2022-02-21T18:30:39.152Z at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:421) 2022-02-21T18:30:39.152Z at sun.security.ssl.ServerHelloDone$ServerHelloDoneConsumer.consume(ServerHelloDone.java:182) 2022-02-21T18:30:39.152Z at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377) 2022-02-21T18:30:39.152Z at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) 2022-02-21T18:30:39.152Z at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) 2022-02-21T18:30:39.152Z at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) The application adds CaviumProvder at start-up: Security.addProvider(new com.cavium.provider.CaviumProvider()); My client application also attempts to sign a message using "NONEwithRSA" at the start of the application and successfully verifies the signing using the same key alias. I have also verified that the user my application is using to authenticate towards CloudHSM is of type CU (Crypto User). The CloudHSM jar file is cloudhsm-3.1.0.jar. Please help.
CloudHSMv2 Force "TLS client-server mutual authentication" or disable default key on HSM
I am assuming that when you follow the steps to use "TLS client-server mutual authentication," the default key can still be used. * Is it possible to **only** allow "TLS client-server mutual authentication" connections to an HSM? * In other words, can we disable connections where the client uses the default ssl key? * Is there any difference in authorization between a session on a "TLS client-server mutual authentication" ssl connection and a session on a default key ssl connection? * If not, why would someone bother to use a trust-anchor-signed ssl key if anyone can make an equally authorized session with the default key? Background: > https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started-ssl.html > AWS CloudHSM uses an SSL certificate to establish a connection to an HSM. A **default** key and SSL certificate are included when you install the client. You can, however, create and use your own. Note that you will need the self–signed certificate (customerCA.crt) that you created when you initialized your cluster. > ... > To use a custom certificate and key for **TLS client-server mutual authentication** with Client SDK 5 on Linux