Usage of private key after cluster initialization

Question

Hello,  
  
What is the user of the private key used to the sign the cluster CSR ? The user guide   says   
_If you can demonstrate that you own the key, you can also demonstrate that you own the cluster and the data it contains._   
_To sign into your AWS CloudHSM instance, the certificate must be present, but the private key does not. You use the key only for specific purposes such as restoring from a backup._  
  
but   doesn't mention the usage of private key to restore the cluster from a backup.   
  
I am a little confused with the wording here, so what does restoring from a backup mean ?  
  
Thanks  
  
Edited by: r3motecontrol on Oct 28, 2019 6:54 PM

Answer

The guidance for securing the cluster signing key pertains to backups downloaded to a FIPS-validated on-premises HSM or token in your possession. This is a capability of the HSM which we have not yet released, but may in the future.   
  
The backups we take today are not customer-downloadable backups. They can only be restored to authentic HSMs in the AWS cloud, in your account. You do not need to provide your cluster private key to authenticate these restores. A detailed description of encryption and restore of service-managed CloudHSM backups is at https://d1.awsstatic.com/whitepapers/Security/security-of-aws-cloudhsm-backups.pdf.

Answer

The private key is only needed when signing the certificate request (CSR) from the CloudHSM. Then you only need the public key to validate the certificate.

This scheme allows the client to check that it connects to the actual HSM and not an unauthorized intermediate (man-in-the-middle).

To some extent, the private key is not needed anymore.

Usage of private key after cluster initialization

Relevant content