2. Outline
● What is an HSM?
● Should you use it?
○ Why are you saying "yes"?
● Here's how you use it
○ I know; I've done it
● What you're going to experience
○ Frustration
7. Just use KMS
● It does encryption and decryption
● It integrates with other AWS services
● It uses HSMs behind the scenes
○ You can even back KMS with CloudHSM if you really
want your "own" HSMs
8. OK, you asked for it
● There are some upsides to using CloudHSM
directly
○ Possible to replicate keys across regions
○ Possible to export keys
● But now you're doing the work that KMS is
willing to do for you
12. State check
● Our cluster is UNINITIALIZED
○ We can't connect to it
○ We can't grow it
○ We can't use it
13. Issue the cluster a certificate
CSR
image: https://pixabay.com/vectors/award-ribbon-rosette-blue-161090/
14. State check
● Our cluster is INITIALIZED
○ We can now connect to it!
○ We still can't grow it
○ We still can't use it
image: https://pixabay.com/vectors/award-ribbon-rosette-blue-161090/
16. Activate the cluster
● cloudhsm_mgmt_util
○ Its own interactive shell
● Log in with default admin credentials
● Change the admin account's password
● Create users allowed to do stuff with keys
17. No external user management
IAM
LDAP
SAML
literally
anything
else
18. State check
● Our cluster is ACTIVATED
○ We can still connect to it
○ We can now grow it!
○ We can now use it!
image: https://pixabay.com/vectors/award-ribbon-rosette-blue-161090/
20. cloudhsm-client library
● Your choices
○ PKCS#11 library for Linux
○ OpenSSL engine
○ Java JCE/JCA provider
○ KSP and CNG providers for Windows
21. Java library "documentation"
● Some small bits of sample code
○ Covers basic functionality
● No javadoc
○ Not in AWS docs
○ Not on HSM vendor's site
○ Not that I could find on Google
22. Authenticating to CloudHSM in Java
LoginManager lm = LoginManager.getInstance();
try {
lm.login("WHATEVER", user, pass);
} catch (CFM2Exception e) {
if (CFM2Exception.isAuthenticationFailure(e)) {
System.out.printf("Bad credentials");
}
}
adapted from: https://github.com/aws-samples/aws-cloudhsm-jce-examples/blob/master/src/main/java/com/amazonaws/cloudhsm/examples/LoginRunner.java
23. Using CloudHSM as a KeyStore
Security.addProvider(new CaviumProvider());
KeyStore keyStore =
KeyStore.getInstance("Cavium");
keyStore.load(null, null);
System.out.printf(
"Found %d keysn", keyStore.size());
https://github.com/aws-samples/aws-cloudhsm-jce-examples/blob/master/src/main/java/com/amazonaws/cloudhsm/examples/KeyStoreExampleRunner.java
37. Because you will not believe me
https://docs.aws.amazon.com/cloudhsm/latest/us
erguide/key_mgmt_util-exSymKey.html
38. How exports really work
images: https://www.pexels.com/photo/colorful-raw-security-key-68174/ & https://commons.wikimedia.org/wiki/File:Standard-lock-key.jpg
unwrapwrap
39. You can make exports weirder
images: https://www.pexels.com/photo/colorful-raw-security-key-68174/ & https://commons.wikimedia.org/wiki/File:Standard-lock-key.jpg
unwrapwrap
42. Quorum authentication setup
● Alice: public key A
● Bob: public key B
● Carol: public key C
● ...
private key A private key B private key C
43. Get a quorum token
● Alice: public key A
● Bob: public key B
● Carol: public key C
● ...
getToken
44. Collect m signatures
private key A
private key B
A
B
image: https://pixabay.com/vectors/award-ribbon-rosette-blue-161090/
45. Write a file about all the files you have
Multi Token File Path = my.token;
Token File Path = ;
Number of Approvals = 2;
Approver Type = 2; # 1 = CU, 2 = CO
Approver Name = alice;
Approval File = my.token.alice.sig;
# ...
46. Redeem your quorum token
● Alice: public key A
● Bob: public key B
● Carol: public key C
● ...
approveToken
A
Bimage: https://pixabay.com/vectors/award-ribbon-rosette-blue-161090/
47. You now have a single blank check
A B
Pay to the
order of:
Amount:
Date:
You!
AWS CloudHSM Whenever
Please don't be evil
image: https://pixabay.com/vectors/award-ribbon-rosette-blue-161090/
49. Take aways
● Prefer using KMS instead if you can
○ Or at least KMS backed by CloudHSM if you must
● Understand whether CloudHSM features are
going to be usable for you
● Be prepared for an unusual integration