Amazon CloudHSM key store concepts - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Amazon CloudHSM key store concepts

This topic explains some of the concepts used in Amazon CloudHSM key stores.

Amazon CloudHSM key store

An Amazon CloudHSM key store is a custom key store associated with an Amazon CloudHSM cluster that you own and manage. Amazon CloudHSM clusters are backed by hardware security modules (HSMs) certified at FIPS 140-2 Level 3.

When you create a KMS key in your Amazon CloudHSM key store, Amazon KMS generates a 256-bit, persistent, non-exportable Advanced Encryption Standard (AES) symmetric key in the associated Amazon CloudHSM cluster. This key material never leaves your HSMs unencrypted. When you use a KMS key in an Amazon CloudHSM key store, the cryptographic operations are performed in the HSMs in the cluster.

Amazon CloudHSM key stores combine the convenient and comprehensive key management interface of Amazon KMS with the additional controls provided by an Amazon CloudHSM cluster in your Amazon Web Services account. This integrated feature lets you create, manage, and use KMS keys in Amazon KMS while maintaining full control of the HSMs that store their key material, including managing clusters, HSMs, and backups. You can use the Amazon KMS console and APIs to manage the Amazon CloudHSM key store and its KMS keys. You can also use the Amazon CloudHSM console, APIs, client software, and associated software libraries to manage the associated cluster.

You can view and manage your Amazon CloudHSM key store, edit its properties, and connect and disconnect it from its associated Amazon CloudHSM cluster. If you need to delete an Amazon CloudHSM key store, you must first delete the KMS keys in the Amazon CloudHSM key store by scheduling their deletion and waiting until the grace period expires. Deleting the Amazon CloudHSM key store removes the resource from Amazon KMS, but it does not affect your Amazon CloudHSM cluster.

Amazon CloudHSM cluster

Every Amazon CloudHSM key store is associated with one Amazon CloudHSM cluster. When you create an Amazon KMS key in your Amazon CloudHSM key store, Amazon KMS creates its key material in the associated cluster. When you use a KMS key in your Amazon CloudHSM key store, the cryptographic operation is performed in the associated cluster.

Each Amazon CloudHSM cluster can be associated with only one Amazon CloudHSM key store. The cluster that you choose cannot be associated with another Amazon CloudHSM key store or share a backup history with a cluster that is associated with another Amazon CloudHSM key store. The cluster must be initialized and active, and it must be in the same Amazon Web Services account and Region as the Amazon CloudHSM key store. You can create a new cluster or use an existing one. Amazon KMS does not need exclusive use of the cluster. To create KMS keys in the Amazon CloudHSM key store, its associated cluster it must contain at least two active HSMs. All other operations require only one HSM.

You specify the Amazon CloudHSM cluster when you create the Amazon CloudHSM key store, and you cannot change it. However, you can substitute any cluster that shares a backup history with the original cluster. This lets you delete the cluster, if necessary, and replace it with a cluster created from one of its backups. You retain full control of the associated Amazon CloudHSM cluster so you can manage users and keys, create and delete HSMs, and use and manage backups.

When you are ready to use your Amazon CloudHSM key store, you connect it to its associated Amazon CloudHSM cluster. You can connect and disconnect your custom key store at any time. When a custom key store is connected, you can create and use its KMS keys. When it is disconnected, you can view and manage the Amazon CloudHSM key store and its KMS keys. But you cannot create new KMS keys or use the KMS keys in the Amazon CloudHSM key store for cryptographic operations.

kmsuser Crypto user

To create and manage key material in the associated Amazon CloudHSM cluster on your behalf, Amazon KMS uses a dedicated Amazon CloudHSM crypto user (CU) in the cluster named kmsuser. The kmsuser CU is a standard CU account that is automatically synchronized to all HSMs in the cluster and is saved in cluster backups.

Before you create your Amazon CloudHSM key store, you create a kmsuser CU account in your Amazon CloudHSM cluster using the createUser command in cloudhsm_mgmt_util. Then when you create the Amazon CloudHSM key store, you provide the kmsuser account password to Amazon KMS. When you connect the custom key store, Amazon KMS logs into the cluster as the kmsuser CU and rotates its password. Amazon KMS encrypts your kmsuser password before it stores it securely. When the password is rotated, the new password is encrypted and stored in the same way.

Amazon KMS remains logged in as kmsuser as long as the Amazon CloudHSM key store is connected. You should not use this CU account for other purposes. However, you retain ultimate control of the kmsuser CU account. At any time, you can find the key handles of keys that kmsuser owns. If necessary, you can disconnect the custom key store, change the kmsuser password, log into the cluster as kmsuser, and view and manage the keys that kmsuser owns.

For instructions on creating your kmsuser CU account, see Create the kmsuser Crypto User.

KMS keys in an Amazon CloudHSM key store

You can use the Amazon KMS or Amazon KMS API to create a Amazon KMS keys in an Amazon CloudHSM key store. You use the same technique that you would use on any KMS key. The only difference is that you must identify the Amazon CloudHSM key store and specify that the origin of the key material is the Amazon CloudHSM cluster.

When you create a KMS key in an Amazon CloudHSM key store, Amazon KMS creates the KMS key in Amazon KMS and it generates a 256-bit, persistent, non-exportable Advanced Encryption Standard (AES) symmetric key material in its associated cluster. When you use the Amazon KMS key in a cryptographic operation, the operation is performed in the Amazon CloudHSM cluster using the cluster-based AES key. Although Amazon CloudHSM supports symmetric and asymmetric keys of different types, Amazon CloudHSM key stores support only AES symmetric encryption keys.

You can view the KMS keys in an Amazon CloudHSM key store in the Amazon KMS console, and use the console options to display the custom key store ID. You can also use the DescribeKey operation to find the Amazon CloudHSM key store ID and Amazon CloudHSM cluster ID.

The KMS keys in an Amazon CloudHSM key store work just like any KMS keys in Amazon KMS. Authorized users need the same permissions to use and manage the KMS keys. You use the same console procedures and API operations to view and manage the KMS keys in an Amazon CloudHSM key store. These include enabling and disabling KMS keys, creating and using tags and aliases, and setting and changing IAM and key policies. You can use the KMS keys in an Amazon CloudHSM key store for cryptographic operations, and use them with integrated Amazon services that support the use of customer managed keys However, you cannot enable automatic key rotation or import key material into a KMS key in an Amazon CloudHSM key store.

You also use the same process to schedule deletion of a KMS key in an Amazon CloudHSM key store. After the waiting period expires, Amazon KMS deletes the KMS key from KMS. Then it makes a best effort to delete the key material for the KMS key from the associated Amazon CloudHSM cluster. However, you might need to manually delete the orphaned key material from the cluster and its backups.