Ref: https://learn.cantrill.io/courses/1820301/lectures/41301515

• Summary:
• Contents:

Refresher: KMS and HSMs

• KMS is the default encryption-at-rest service in AWS
  • Manages encryption keys in AWS → keys can be AWS-managed or customer-managed
  • Integrates with AWS suite of services
  • Strict permissions: customer keys are isolated from other customers…
  • ‼️ … but it's still a SHARED service!!
    • Default service keys can even be shared among customers! (without awareness of which customers)
  • ‼️  AWS manages HW & SW of KMS! → AWS has some access to KMS
  • Some strict security scenarios require non-shared hardware and controlled access
• Hardware Security Module (HSM) → secure HW appliance, can store encryption keys
  • KMS infrastructure supported by AWS-managed HSMs behind the scenes
  • You can run HSMs on premises
  • You can run HSMs in the cloud → e.g. AWS CloudHSM

CloudHSM - Overview

• 🔧 CloudHSM = HSM-aaS → true “single tenant" Hardware Security Module (HSM)
  • AWS provisions and maintains HW, but nothing else
  • ❗ AWS has no access to secure HW area with key material → fully customer-managed
    • ‼️ If a customer loses access to the HSM, data is lost! They can reprovision the HSM, but NOT recover the data!
• Federal Information Processing Standard (FIPS), publication 140-2 → well-known standard for HSMs and cryptographic modules
  • 🔧 CloudHSM is FIPS 140-2 Level 3 compliant
  • In contrast, KMS is only FIPS 140-2 Level 2 compliant (overall, some parts of KMS are L3, but not all of KMS)
  • Extra reading: https://en.wikipedia.org/wiki/FIPS_140-2
• Access via industry-standard APIs:
  • PKCS#11
  • Java Cryptography Extensions (JCE)
  • Microsoft CryptoNG (CNG) libraries
• ‼️ Does NOT integrate natively with AWS suite of services!!
  • 💡 e.g. S3-SSE only uses KMS, can't use CloudHSM
  • In contrast, access to KMS is via AWS standard APIs which other services use
  • ❗ KMS can use CloudHSM as a custom key store → CloudHSM integration with KMS
    • 👍 Many benefits from CloudHSM as well as AWS-integration

CloudHSM - Use Cases

• Perform Client-Side Encryption (CSE)
  • e.g. encrypt data object with CloudHSM, then send to S3
• Offload SSL/TLS processing for web servers
  • Web servers don't waste compute performing crypto operations
  • CloudHSM's HW accelerates this processing → economical & efficient
• Enable Transparent Data Encryption (TDE) for Oracle DBs
  • Oracle DBs can use industry-standard APIs
• Protect private keys for an issuing Certificate Authority (CA)

CloudHSM - Architecture