AWS CloudHSM key concepts

The following are concepts to be aware of when working with keys in AWS CloudHSM.

Token keys

Persistent keys that you create during key generate, import or unwrap operations. AWS CloudHSM synchronizes token keys across a cluster.

Session keys

Ephemeral keys that exist only on one hardware security module (HSM) in the cluster. AWS CloudHSM does not synchronize session keys across a cluster.

Client-side key synchronization

A client-side process that clones token keys you create during key generate, import or unwrap operations. You can make token keys more durable by running a cluster with a minimum of two HSMs.

Server-side key synchronization

Periodically clones keys to every HSM in the cluster. Requires no management.

Client key durability settings

Settings you configure on the client that impact key durability. These settings work differently in Client SDK 5 and Client SDK 3.

In Client SDK 5, use this setting to run a single HSM cluster.
In Client SDK 3, use this setting to specify the number of HSMs required for key creation operations to succeed.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Key sync and durability

Understanding key synchronization