Using trusted keys in AWS CloudHSM
AWS CloudHSM supports trusted key wrapping to protect data keys from insider threats. This topic describes how to create trusted keys to secure data.
Topics
Understanding trusted keys
A trusted key is a key that is used to wrap other keys and that admins and cryptographic officers (COs) specifically
identify as trusted using the attribute CKA_TRUSTED
. Additionally, admins and cryptographic officers (COs)
use CKA_UNWRAP_TEMPLATE
and related attributes to specify what actions data keys can do once they are unwrapped
by a trusted key. Data keys that are unwrapped by the trusted key must also contain these attributes for the unwrap
operation to succeed, which helps ensure that unwrapped data keys are only permitted for the use you intend.
Use the attribute CKA_WRAP_WITH_TRUSTED
to identify all of the data keys you want to wrap with
trusted keys. Doing this allows you to restrict data keys so applications can only use trusted
keys to unwrap them. Once you set this attribute on the data keys, the attribute becomes read-only
and you cannot change it. With these attributes in place, applications can only unwrap
your data keys with the keys you trust, and unwraps always result in data keys with attributes that limit how these keys can be used.
Trusted key attributes
The following attributes allow you to mark a key as trusted, specify a data key can only be wrapped and unwrapped with a trusted key, and control what a data key can do after it is unwrapped:
-
CKA_TRUSTED
: Apply this attribute (in addition toCKA_UNWRAP_TEMPLATE
) to the key that will wrap data keys to specify that an admin or crypto officer (CO) has done the necessary diligence and trusts this key. Only an admin or CO can setCKA_TRUSTED
. The crypto user (CU) owns the key, but only a CO can set itsCKA_TRUSTED
attribute. -
CKA_WRAP_WITH_TRUSTED
: Apply this attribute to an exportable data key to specify that you can only wrap this key with keys marked asCKA_TRUSTED
. Once you setCKA_WRAP_WITH_TRUSTED
to true, the attribute becomes read-only and you cannot change or remove the attribute. -
CKA_UNWRAP_TEMPLATE
: Apply this attribute to the wrapping key (in addition toCKA_TRUSTED
) to specify which attribute names and values the service must automatically apply to data keys that the service unwraps. When an application submits a key for unwrapping, the application can also provide its own unwrap template. If you specify an unwrap template and the application provides its own unwrap template, the HSM uses both templates to apply attribute names and values to the key. However, if a value in theCKA_UNWRAP_TEMPLATE
for the wrapping key conflicts with an attribute provided by the application during the unwrap request, then the unwrap request fails.
For more information about attributes, refer to the following topics:
How to use trusted keys to wrap data keys
To use a trusted key to wrap a data key, you must complete three basic steps:
For the data key you plan to wrap with a trusted key, set its
CKA_WRAP_WITH_TRUSTED
attribute to true.For the trusted key you plan to wrap the data key with, set its
CKA_TRUSTED
attribute to true.Use the trusted key to wrap the data key.
Step 1: Set the data key's CKA_WRAP_WITH_TRUSTED
to true
For the data key you want to wrap, choose one of the following options to set the key’s CKA_WRAP_WITH_TRUSTED
attribute to true. Doing this restricts the data key so applications can only use trusted keys to wrap it.
Option 1: If generating a new key, set CKA_WRAP_WITH_TRUSTED
to true
Generate a key using PKCS #11, JCE, or CloudHSM CLI. See the following examples for more details.
Option 2: If using an existing key, use CloudHSM CLI to set its CKA_WRAP_WITH_TRUSTED
to true
To set an existing key's CKA_WRAP_WITH_TRUSTED
attribute to true, follow these steps:
Use the login command to log in as a crypto user (CU).
Use the key set-attribute command to set the key's
wrap-with-trusted
attribute to true.aws-cloudhsm >
key set-attribute --filter attr.label=test_key --name wrap-with-trusted --value true
{ "error_code": 0, "data": { "message": "Attribute set successfully" } }
Step 2: Set the trusted key's CKA_TRUSTED
to true
To make a key a trusted key, its CKA_TRUSTED
attribute must be set to true. You can either use CloudHSM CLI or the CloudHSM Management Utility (CMU) to do this.
If using CloudHSM CLI to set a key's
CKA_TRUSTED
attribute, see How to mark a key as trusted with CloudHSM CLI.If using the CMU to set a key's
CKA_TRUSTED
attribute, see How to mark a key as trusted with the CMU.
Step 3. Use the trusted key to wrap the data key
To wrap the data key referenced in Step 1 with the trusted key you set in Step 2, refer to the following links for code samples. Each demonstrates how to wrap keys.
How to unwrap a data key with a trusted key
To unwrap a data key, you need a trusted key that has CKA_UNWRAP
set to true. To be such a key, it must also meet the following criteria:
The key’s
CKA_TRUSTED
attribute must be set to true.The key must use
CKA_UNWRAP_TEMPLATE
and related attributes to specify what actions data keys can perform once they are unwrapped. If, for example, you want an unwrapped key to be non-exportable, you setCKA_EXPORTABLE = FALSE
as part of theCKA_UNWRAP_TEMPLATE
.
Note
CKA_UNWRAP_TEMPLATE
is only available with PKCS #11.
When an application submits a key to be unwrapped, the application can also provide its own unwrap template.
If you specify an unwrap template and the application provides its own unwrap template, the HSM uses both templates to apply attribute names and values to the key.
However, if during the unwrap request a value in the trusted key’s CKA_UNWRAP_TEMPLATE
conflicts with an attribute provided by the application, the unwrap request fails.
To see an example on unwrapping a data key with a trusted key, refer to this PKCS #11 example