HSM keys
AWS CloudHSM allows you to securely generate, store, and manage your encryption keys in single-tenant HSMs that are in your AWS CloudHSM cluster. Keys can be symmetric or asymmetric, can be session keys (ephemeral keys) for single sessions, token keys (persistent keys) for long-term use, and can be exported from and imported into AWS CloudHSM. Keys can also be used to complete common cryptographic tasks and functions:
Perform cryptographic data signing and signature verification with both symmetric and asymmetric encryption algorithms.
Work with hash functions to compute message digests and hash-based message authentication codes (HMACs).
Wrap and protect other keys.
Access cryptographically secure random data.
The maximum keys a cluster can have depends on the type of HSMs that are in the cluster. For example, hsm2m.medium stores more keys than hsm1,medium. For a comparison, see AWS CloudHSM quotas.
Additionally, AWS CloudHSM follows a few foundational principles for key usage and management:
- Many key types and algorithms to choose from
To allow you to customize your own solutions, AWS CloudHSM provides many key types and algorithms to choose from. algorithms support a range of key sizes. For more information, refer to the attributes and mechanism pages of each AWS CloudHSM Client SDKs.
- How you manage keys
AWS CloudHSM keys are managed through SDKs and command line tools. For information on how to use these tools to manage keys, see Managing keys in AWS CloudHSM and Best practices for AWS CloudHSM.
- Who owns keys
In AWS CloudHSM, the crypto user (CU) who creates the key owns it. The owner can use the key share and key unshare commands to share and unshare the key with other CUs. For more information, see Using CloudHSM CLI to share and unshare keys.
- Access and usage can be controlled with attribute-based encryption
AWS CloudHSM allows you to use attribute-based encryption, a form of encryption that lets you use key attributes to control who can decrypt data based on policies.
