Why Java examples for JCE SDK5 generate KeyPair to encrypt data?

My understanding is, Private Key should never leave HSM cluster. HSM-Client should pass key-handle, Mechanism and payload to the HSM-Server and HSM-Server should encrypt or sign the payload and give it back to the HSM-Client. But the examples in the official documentation generates KeyPair and use actual PrivateKey to encrypt. Please let me know if my understanding is correct and point me to some Java example where encryption and signing happens on HSM-Server and not on HSM-Client

Topics

Security, Identity, & Compliance

Relevant content

Having trouble getting the Java Example Consumer to work / understanding Kinesis Data Streams concepts
rePost-User-8311018
asked 2 years ago
Is there any usage of private key after AWS Cloud HSM cluster is initialized?
kp
asked 2 years ago
Couldn't see the PKCS#11 .so file to access AWS Cloud HSM (Client SDK5) using Java
WK
asked a year ago
[CloudHSM][JCE provider] Migration from SDK3 to SDK5, load via key handle
rePost-User-3668023
asked a year ago
How do I encrypt my Amazon Redshift cluster?
AWS OFFICIALUpdated a year ago
Why can't I generate a kubeconfig file for my Amazon EKS cluster?
AWS OFFICIALUpdated 3 months ago
How do I use OpenSSL and the key_mgmt_util command line tool to securely transfer my keys to CloudHSM?
AWS OFFICIALUpdated 3 months ago
Should I use an AWS KMS managed key or a customer managed KMS key to encrypt my objects on Amazon S3?
AWS OFFICIALUpdated 2 years ago
Cloud Product Leaders should get to know OCSF (and the product strategy pattern behind it).
EXPERT
Jeffrey Hammond
published 2 years ago
Bringing Generative AI to the data warehouse with Amazon Bedrock and Amazon Redshift
EXPERT
Rick Fraser
published 2 months ago