- Newest
- Most votes
- Most comments
From your requirements option 2/CloudHSM would be your best option.
It complies with FIPS 140-2 level 3\[1].
You import your own existing keys\[2].
Exporting key is also possible\[3].
The primary roadblock you face with attempting to use a KMS Custom Key Store is you cannot import key material into a KMS key Custom Key Store. KMS will instead generate the key material for the KMS key in the AWS CloudHSM cluster[4].
Primarily due to your FIPS 140-2 level 3 requirement, using CloudHSM with one of the Client SDKs[5] would be the best option.
Regarding your question about whether you can use the Encryption SDK with CloudHSM, I did come across the following section in our FAQ[6] for the Encryption SDK:
"You can use AWS KMS keys as wrapping keys in the AWS Encryption SDK, but it is not required. You can use encryption keys that you generate and those from your key manager or on-premises hardware security module. You can use the AWS Encryption SDK even if you don't have an AWS account."
From that line, it may be possible to use the Encryption SDK with CloudHSM but I was not able to find any specific examples of this so it may require some testing on your end.
[1] FIPS validation - https://docs.aws.amazon.com/cloudhsm/latest/userguide/fips-validation.html
[2] Using the command line to manage keys - Import keys - https://docs.aws.amazon.com/cloudhsm/latest/userguide/using-kmu.html#import-keys
[3] Using the command line to manage keys - Export keys - https://docs.aws.amazon.com/cloudhsm/latest/userguide/using-kmu.html#export-keys
[4] Managing KMS keys in a custom key store - https://docs.aws.amazon.com/kms/latest/developerguide/manage-cmk-keystore.html
[5] AWS CloudHSM Client SDKs - https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-hsm.html
[6] Frequently asked questions - https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/faq.html#aws-sdks
Relevant content
- asked 9 months ago
- Accepted Answerasked 2 years ago
- asked 2 years ago
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 8 months ago
Thanks Michael. I like to use AWS Encryption SDK with the keys generated out of the Cloud HSM. Reasons behind are:
Do you think any issues in this approach? I can think of one like how do I know that how many wrapping keys I need in advance? Example: at initial stage, I can have 2 region so I will create two wrapping keys from Cloud HSM and start encrypting the plain text. Later on If I add another region, at that point, I will not have my plain text data encrypted with the wrapping key from that region. How can I handle this scenario if using ESDK?