- Newest
- Most votes
- Most comments
Main keys for HSM are established when a cluster is allocated and the customer establishes a Crypto Officer. The CloudHSM service infrastructure and no one at AWS have any access to the main key (or any keys protected by that key) because the CO credentials are known only to the customer.
Cluster management and backup are managed with an additional key which allows back up and recovery of HSM main keys and configurations without exposing keys to AWS. This is detailed in: https://docs.aws.amazon.com/cloudhsm/latest/userguide/backups.html
When you provision a CloudHSM cluster, there are several user types:
Precrypto Officer (PRECO) - Default administrator when you provision CloudHSM. Disappears once you create your first user.
(Primary) Crypto Officer (PCO and CO) - First user is the PCO who can then provision other COs. PCO and COs have the same permissions. They perform user management and that's all.
Crypto User (CU) - can do:
- Key management - create, delete, share, import & export cryptographic keys
- Cryptographic operations - use keys for encryption, decryption, signing, verifying etc.
Appliance User (AU) - can perform cloning and synchronisation operations. Cloud HSM uses the AU to synchronise the HSMs in a cluster. The AU exists on all HSMs and has limited permissions.
Setup of your cluster involves a number of steps including verifying authenticity, signing the cluster CSR (Certificate Signing Request), setting up a cluster management instance and running the HSM command-line management utility on it.
Relevant content
- asked 2 years ago
AWS OFFICIALUpdated 3 years ago- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 12 days ago
- AWS OFFICIALUpdated 5 months ago
The CO credentials are only known to the customer, but AWS may save them somewhere before they are forwarded to the HSM. No? Is this possible?