M of N authentication for signing/encrypting operations

Hi JordiCJ,

Reading the user guides to manage keys, I see it is possible to create keys that can only be used > following the M of N Access Control (e.g. in https://docs.aws.amazon.com/cloudhsm/latest/userguide/key_mgmt_util-genRSAKeyPair.html). However, it seems the generation and provision of the token with the signatures of all the users required is only done via the key management client application.

That's true, the initial configuration of a new CloudHSM Cluster must be done using the CLI tools, but it's generally only ever done once per cluster, so we don't currently provide a mechanism to do this programmatically. That said, you can certainly script the process (note the 'singleCommand' directive in the Key Management Utility) but be careful about how you manage sensitive parameters. We don't recommend this generally.

Is this correct? Is there any other possibility that does not involve the interactive console based key management client? Looking into the Java library provided I don't see any class/method to manage the keys that includes anything about the M of N Access Control.

Unfortunately, neither the standard Java JCA interface nor the PKCS#11 standard provide a reasonable way to manage quorum (MofN) operations. While it's possible for us to provide a utility library that could offer this functionality, feedback from customers has been that managing and using MofN keys is a predominantly "human" activity, thereby making the CLI the most natural tool for it. We recognize that some more sophisticated customers may want to build quorum functionality into custom applications directly, and we are working on some great new capabilities that, among other things, would allow customers to do exactly this. Keep an eye out for future announcements!

Thanks,
the CloudHSM team