Key Management in AWS: Exploring CloudHSM

niteshthapliyal

Nitesh Thapliyal

Posted on January 11, 2024

Key Management in AWS: Exploring CloudHSM

In the ever-evolving landscape of cloud computing, securing sensitive data is paramount. As organizations increasingly migrate their workloads to the cloud, effective key management becomes a critical aspect of their overall security strategy. AWS, as a leading cloud services provider, offers two prominent solutions for key management: AWS CloudHSM and AWS Key Management Service (KMS).

In this blog we will explore CloudHSM

Before we deep dive into services, we should first understand about Cryptography

Cryptography

Cryptography is the practice of techniques for securing communication and data from adversaries. It involves the use of mathematical algorithms to transform information into a format that is unintelligible to unauthorized users, ensuring confidentiality, integrity, authentication, and non-repudiation

Key management is one of the concepts used in Key management is one of the concepts used in Cryptography

Key management

Key management refers to the process of generating, storing, distributing, and disposing of cryptographic keys in a secure and organized manner. Cryptographic keys are essential components in the field of cryptography, used to encrypt and decrypt information, authenticate users, and ensure the integrity of data.

The cryptographic keys are fundamental to ensuring the security of communication, protecting sensitive data, and maintaining the integrity of information. There are different types of cryptographic keys, and their roles can be broadly categorized into two main types: symmetric keys and asymmetric keys.

Symmetric Key Encryption

Symmetric-key cryptography is a term used for cryptographic algorithms that use the same key for encryption and for decryption.

The commonly used algorithms that are used for symmetric key encryption are:

  • AES (Advanced Encryption Standard)
  • DES (Data Encryption Standard)

SymmetricKey

(Source: The SSL Store)

Asymmetric Key Encryption / Public key Encryption

It is a cryptographic system in which keys come in pairs. The transformation performed by one of the keys can only be undone with the other key. One key (the private key) is kept secret while the other is made public.

The commonly used algorithms that are used for asymmetric key encryption are:

  • RSA(Rivest–Shamir–Adleman)

  • DSA (Digital Signature Algorithm)

AsymmetricKey

(Source: appViewX)

If we store the cryptographic keys in our system it can be a security issue therefore the Hardware Security Modules (HSMs) are used for storing cryptographic keys due to their specialized design and features that enhance the security and protection of sensitive key material.

Hardware Security Module(HSM)

A Hardware Security Module is a specialized, highly trusted physical device that performs all major cryptographic operations, including encryption, decryption, authentication, key management, key exchange, and more. HSMs are specialized security devices, with the sole objective of hiding and protecting cryptographic materials

Types of HSMs

There are two main types of Hardware Security Module:

  • General Purpose

General Purpose HSMs can utilize the most common encryption algorithms and are primarily used with Public Key Infrastructures, cryptowallets, and other basic sensitive data.

  • Payment and Transaction

These types of HSM are created with the protection of payment card information and other types of sensitive transaction information. These types of Hardware Security modules are narrower in the types of organizations they can work within, but they are ideal to help comply with Payment Card Industry Data Security Standards (PCI DSS).

The main reason to use HSMs is that it is Tamper-resistant, tamper-evident, and tamper-proof systems to provide extremely secure physical systems.

HSM

(Source: cpl.thalesgroup.com)

We need our key to keep somewhere and manage somewhere and most of the industry uses HSM but it can be very costly to use, to overcome this problem AWS launched a service called CloudHSM where you can use a pay-as-you-go model, allowing you to pay for the resources you consume. This can be cost-effective for organizations with dynamic or unpredictable workloads.

CloudHSM

AWS CloudHSM provides cloud-based hardware security modules (HSMs) for generating and using your own encryption keys in the AWS Cloud. With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs and integrate with your applications using industry-standard APIs.For more detail

cloudHSM

*Let's create a CloudHSM cluster: *

  • Go to aws CloudHSM service and click on create cluster

createCluster

  • Select the VPC and Availability zones based on how many devices you want and then click next

cluster2

  • Add the backup retention period

After this time period, the cluster backup will be deleted

time

  • Click on Create cluster

clickCluster

After a few minutes cluster will be created

cluster created

Here you can see that the cluster is uninitialized which means we need to add HSM appliance to it

  • Click on the cluster and then click on Initialize

initialize

  • select the AZ to create the HSM and click on create

hsm

Now you can see one HSM is added to the cluster

added

  • Now download the Certificate signing request

sign

Download the CSR and sign it.

To sign the CSR follow the steps:

  • Generate the Private key

Use the command openssl genrsa -aes256 -out customerCA.key 2048 to generate the private key

Note Remember the pass phrase it will be use in next step

  • To sign the CSR use the command

openssl req -new -x509 -days 3652 -key customerCA.key -out customerCA.crt

Here customerCA.crt is a certificate that you downloaded

fill the details to sign the certificate

certificate

  • Sign in the cluster CSR

use the following command :

openssl x509 -req -days 3652 -in <cluster ID>_ClusterCsr.csr \
-CA customerCA.crt \
-CAkey customerCA.key \
-CAcreateserial \
-out <cluster ID>_CustomerHsmCertificate.crt

  • Now upload the certificates

Image description

*Note: * The cluster certificate will be the one with cluster id

Now you can see that your cluster is initiated

clusterInitiated

  • Now set the password for the cluster and activate it

use the following aws documentation to activate cluster

After following the above doc you will see that now your cluster is activated

Created

That's how you can create a CloudHSM cluster and add HSM device to it and now you can start using it to store your keys.

Hope you find this blog insightful 🌟

Thank you!

💖 💪 🙅 🚩
niteshthapliyal
Nitesh Thapliyal

Posted on January 11, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related