Key Management in AWS: Exploring CloudHSM
Nitesh Thapliyal
Posted on January 11, 2024
In the ever-evolving landscape of cloud computing, securing sensitive data is paramount. As organizations increasingly migrate their workloads to the cloud, effective key management becomes a critical aspect of their overall security strategy. AWS, as a leading cloud services provider, offers two prominent solutions for key management: AWS CloudHSM and AWS Key Management Service (KMS).
In this blog we will explore CloudHSM
Before we deep dive into services, we should first understand about Cryptography
Cryptography
Cryptography is the practice of techniques for securing communication and data from adversaries. It involves the use of mathematical algorithms to transform information into a format that is unintelligible to unauthorized users, ensuring confidentiality, integrity, authentication, and non-repudiation
Key management is one of the concepts used in Key management is one of the concepts used in Cryptography
Key management
Key management refers to the process of generating, storing, distributing, and disposing of cryptographic keys in a secure and organized manner. Cryptographic keys are essential components in the field of cryptography, used to encrypt and decrypt information, authenticate users, and ensure the integrity of data.
The cryptographic keys are fundamental to ensuring the security of communication, protecting sensitive data, and maintaining the integrity of information. There are different types of cryptographic keys, and their roles can be broadly categorized into two main types: symmetric keys and asymmetric keys.
Symmetric Key Encryption
Symmetric-key cryptography is a term used for cryptographic algorithms that use the same key for encryption and for decryption.
The commonly used algorithms that are used for symmetric key encryption are:
- AES (Advanced Encryption Standard)
- DES (Data Encryption Standard)
(Source: The SSL Store)
Asymmetric Key Encryption / Public key Encryption
It is a cryptographic system in which keys come in pairs. The transformation performed by one of the keys can only be undone with the other key. One key (the private key) is kept secret while the other is made public.
The commonly used algorithms that are used for asymmetric key encryption are:
RSA(Rivest–Shamir–Adleman)
DSA (Digital Signature Algorithm)
(Source: appViewX)
If we store the cryptographic keys in our system it can be a security issue therefore the Hardware Security Modules (HSMs) are used for storing cryptographic keys due to their specialized design and features that enhance the security and protection of sensitive key material.
Hardware Security Module(HSM)
A Hardware Security Module is a specialized, highly trusted physical device that performs all major cryptographic operations, including encryption, decryption, authentication, key management, key exchange, and more. HSMs are specialized security devices, with the sole objective of hiding and protecting cryptographic materials
Types of HSMs
There are two main types of Hardware Security Module:
- General Purpose
General Purpose HSMs can utilize the most common encryption algorithms and are primarily used with Public Key Infrastructures, cryptowallets, and other basic sensitive data.
- Payment and Transaction
These types of HSM are created with the protection of payment card information and other types of sensitive transaction information. These types of Hardware Security modules are narrower in the types of organizations they can work within, but they are ideal to help comply with Payment Card Industry Data Security Standards (PCI DSS).
The main reason to use HSMs is that it is Tamper-resistant, tamper-evident, and tamper-proof systems to provide extremely secure physical systems.
(Source: cpl.thalesgroup.com)
We need our key to keep somewhere and manage somewhere and most of the industry uses HSM but it can be very costly to use, to overcome this problem AWS launched a service called CloudHSM where you can use a pay-as-you-go model, allowing you to pay for the resources you consume. This can be cost-effective for organizations with dynamic or unpredictable workloads.
CloudHSM
AWS CloudHSM provides cloud-based hardware security modules (HSMs) for generating and using your own encryption keys in the AWS Cloud. With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs and integrate with your applications using industry-standard APIs.For more detail
*Let's create a CloudHSM cluster: *
- Go to aws CloudHSM service and click on create cluster
- Select the VPC and Availability zones based on how many devices you want and then click next
- Add the backup retention period
After this time period, the cluster backup will be deleted
- Click on Create cluster
After a few minutes cluster will be created
Here you can see that the cluster is uninitialized which means we need to add HSM appliance to it
- Click on the cluster and then click on Initialize
- select the AZ to create the HSM and click on create
Now you can see one HSM is added to the cluster
- Now download the Certificate signing request
Download the CSR and sign it.
To sign the CSR follow the steps:
- Generate the Private key
Use the command openssl genrsa -aes256 -out customerCA.key 2048
to generate the private key
Note Remember the pass phrase it will be use in next step
- To sign the CSR use the command
openssl req -new -x509 -days 3652 -key customerCA.key -out customerCA.crt
Here customerCA.crt is a certificate that you downloaded
fill the details to sign the certificate
- Sign in the cluster CSR
use the following command :
openssl x509 -req -days 3652 -in <cluster ID>_ClusterCsr.csr \
-CA customerCA.crt \
-CAkey customerCA.key \
-CAcreateserial \
-out <cluster ID>_CustomerHsmCertificate.crt
- Now upload the certificates
*Note: * The cluster certificate will be the one with cluster id
Now you can see that your cluster is initiated
- Now set the password for the cluster and activate it
use the following aws documentation to activate cluster
After following the above doc you will see that now your cluster is activated
That's how you can create a CloudHSM cluster and add HSM device to it and now you can start using it to store your keys.
Hope you find this blog insightful 🌟
Thank you!
Posted on January 11, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.