Download AWS CloudHSM Client SDK - AWS CloudHSM

Download AWS CloudHSM Client SDK

In March 2021, AWS CloudHSM released Client SDK version 5.0.0, which introduces an all-new Client SDK with different requirements, capabilities, and platform support. You now have two versions of the Client SDK to choose from, Client SDK 5 and Client SDK 3. For more information, see Using the Client SDK, What's in the Client SDK, and Platform Support.

Latest Releases

This section includes the latest version of each Client SDK.

  • On a Red Hat-based Linux system (including Amazon Linux and CentOS), use the following command:

    rpm -qa | grep ^cloudhsm
  • On an Debian-based Linux system, use the following command:

    apt list --installed | grep ^cloudhsm
  • On a Windows system, use the following command:

    wmic product get name,version

Client SDK 5

While fully supported for production environments, Client SDK 5 does not yet offer every component or the same level of support for cryptographic operations as Client SDK 3. For more information, see Client SDK Component Comparison and the following release notes:

  • Version 5.2.1 - improved stability and bug fixes

  • Version 5.2.0 - support for additional key types and mechanisms in the PKCS #11 library

  • Version 5.1.0 - support for additional mechanisms in the PKCS #11 library

  • Version 5.0.1 - introductory OpenSSL Dynamic Engine support

  • Version 5.0.0 - introductory PKCS #11 library support

Version 5.2.1

Amazon Linux

Download the version 5.2.1 software for Amazon Linux:

  • PKCS #11 Library (SHA256 checksum 710654ef82794e2cdab49ae621ac83b64c23b38b2d935e2f8d04a311994730f5)

Amazon Linux 2

Download the version 5.2.1 software for Amazon Linux 2:

  • PKCS #11 Library (SHA256 checksum b3ac4b0d4a27d58a3ae3df45702c2c1197daf0a5703fb8d403813019451a9f36)

CentOS 7.8+

Download the version 5.2.1 software for CentOS 7.8+:

  • PKCS #11 Library (SHA256 checksum b3ac4b0d4a27d58a3ae3df45702c2c1197daf0a5703fb8d403813019451a9f36)

CentOS 8.3+

Download the version 5.2.1 software for CentOS 8.3+:

  • PKCS #11 Library (SHA256 checksum 57909c25f0c93c2af8b78a833aec7acdd09d7dc448c268b89893d8a03c7b9a45)

  • OpenSSL Dynamic Engine (SHA256 checksum e9d3daecd68f66acaadc6036bd5aa108a0c59cb91d3f31ee9b758c5590812086)

RHEL 7.8+

Download the version 5.2.1 software for RedHat Enterprise Linux 7.8+:

  • PKCS #11 Library (SHA256 checksum b3ac4b0d4a27d58a3ae3df45702c2c1197daf0a5703fb8d403813019451a9f36)

RHEL 8.3+

Download the version 5.2.1 software for RedHat Enterprise Linux 8.3+:

  • PKCS #11 Library (SHA256 checksum 57909c25f0c93c2af8b78a833aec7acdd09d7dc448c268b89893d8a03c7b9a45)

  • OpenSSL Dynamic Engine (SHA256 checksum e9d3daecd68f66acaadc6036bd5aa108a0c59cb91d3f31ee9b758c5590812086)

Ubuntu 18.04 LTS

Download the version 5.2.1 software for Ubuntu 18.04 LTS:

  • PKCS #11 Library (SHA256 checksum 29ab3ea6fc9ff84ce94f5e4e79c254190e4a6d0af5d4c5583416a892998019f0)

  • OpenSSL Dynamic Engine (SHA256 checksum 55e48b58358e6a2e701ba42dd0fd29bcae57d08b0af77a3f44c62b397edd8b9a)

Windows Server 2016

Download the latest version 5.2.1 software for Windows Server 2016:

  • PKCS #11 Library (SHA256 checksum b82c2afa1e8353fb47fa392ba20be480e0d2ccb0e361acb6d8ca89f8f8803545)

For information about Windows Server platform support for Client SDK 5, see Supported Platforms.

Windows Server 2019

Download the latest version 5.2.1 software for Windows Server 2019:

  • PKCS #11 Library (SHA256 checksum b82c2afa1e8353fb47fa392ba20be480e0d2ccb0e361acb6d8ca89f8f8803545)

For information about Windows Server platform support for Client SDK 5, see Supported Platforms.

PKCS #11 Library

  • Improved stability and bug fixes.

OpenSSL Dynamic Engine

  • Improved stability and bug fixes.

Client SDK 3

To upgrade Client SDK 3 on Linux platforms, you must use a batch command that upgrades the client daemon and all the libraries at the same time. For more information about upgrade, see Client SDK 3 Upgrade.

Version 3.4.0

To download the software, choose the tab for your preferred operating system, then choose the link to each software package.

Amazon Linux

Download the version 3.4.0 software for Amazon Linux:

  • AWS CloudHSM Client (SHA256 checksum e5ca8d26805ea1d11da3d8801e706423d766071a7ede0bedfcae45e561f45d17)

  • PKCS #11 Library (SHA256 checksum 3851c30ca0d426dc054000ad6929016fc783043404edf98a4033fd9b64d29f6c)

  • OpenSSL Dynamic Engine (SHA256 checksum ae19c864fe4b0a96e9d8e3c03a41b84b2f0d4a91ec65485d34624ecb964fc90c)

  • JCE Provider (SHA256 checksum 3251d7c11528c5eda386c9c250ad9178acf303832136c6b267a0b9f825436c4b)

  • CloudHSM Management Utility (SHA256 checksum 9f87b4b7bdb219df05905c132a732ffcb2544a3c9a68af0859c6434d5c7747e7)

Amazon Linux 2

Download the version 3.4.0 software for Amazon Linux 2:

  • AWS CloudHSM Client (SHA256 checksum 4b520de05217f7e6077bd94af6788da60e19d1b3f28e5a17669232d519c83857)

  • PKCS #11 Library (SHA256 checksum 64262f715786172c7c0da0ab74136097c2b7a1641e3b284ae827f1486fbbc56b)

  • OpenSSL Dynamic Engine (SHA256 checksum 05320772c49a622bda0284dd503c8ae5a13c1669f0e4b475873e53b5a7c074e6)

  • JCE Provider (SHA256 checksum 845b2788a654b81a5bbaf19cefd7865ceab8a7c779d927eb282eea86b0819007)

  • CloudHSM Management Utility (SHA256 checksum ce6741813d29a41cfb23722fb0d140a2fedf90a44a0ddcac39a607457eabe91a)

CentOS 6

AWS CloudHSM does not support CentOS 6 with Client SDK Version 3.4.0.

Use Version 3.2.1 for CentOS 6 or choose a supported platform.

CentOS 7

Download the version 3.4.0 software for CentOS 7:

  • AWS CloudHSM Client (SHA256 checksum 4b520de05217f7e6077bd94af6788da60e19d1b3f28e5a17669232d519c83857)

  • PKCS #11 Library (SHA256 checksum 64262f715786172c7c0da0ab74136097c2b7a1641e3b284ae827f1486fbbc56b)

  • OpenSSL Dynamic Engine (SHA256 checksum 05320772c49a622bda0284dd503c8ae5a13c1669f0e4b475873e53b5a7c074e6)

  • JCE Provider (SHA256 checksum 845b2788a654b81a5bbaf19cefd7865ceab8a7c779d927eb282eea86b0819007)

  • CloudHSM Management Utility (SHA256 checksum ce6741813d29a41cfb23722fb0d140a2fedf90a44a0ddcac39a607457eabe91a)

CentOS 8

Download the version 3.4.0 software for CentOS 8:

  • AWS CloudHSM Client (SHA256 checksum 853b05e6ea6e239f42e1bbf70be26adcc8205d2d172dfc3d57342c14d0060a1e)

  • PKCS #11 Library (SHA256 checksum 51415be53ee10ddc8e85d5bcb0f052a4e29c086434c7fac152b57c7ac37bc3f5)

  • JCE Provider (SHA256 checksum e7a39e46084cab6e193c13c57ea021f0570246cce90b21863d6b40f60a7a8cd7)

  • CloudHSM Management Utility (SHA256 checksum 5de8d9d9a88deae2fffacd4923e429aad885d600adeb1d0bdb771da177fae647)

RHEL 6

AWS CloudHSM does not support RedHat Enterprise Linux 6 with Client SDK Version 3.4.0.

Use Version 3.2.1 for RedHat Enterprise Linux 6 or choose a supported platform.

RHEL 7

Download the version 3.4.0 software for RedHat Enterprise Linux 7:

  • AWS CloudHSM Client (SHA256 checksum 4b520de05217f7e6077bd94af6788da60e19d1b3f28e5a17669232d519c83857)

  • PKCS #11 Library (SHA256 checksum 64262f715786172c7c0da0ab74136097c2b7a1641e3b284ae827f1486fbbc56b)

  • OpenSSL Dynamic Engine (SHA256 checksum 05320772c49a622bda0284dd503c8ae5a13c1669f0e4b475873e53b5a7c074e6)

  • JCE Provider (SHA256 checksum 845b2788a654b81a5bbaf19cefd7865ceab8a7c779d927eb282eea86b0819007)

  • CloudHSM Management Utility (SHA256 checksum ce6741813d29a41cfb23722fb0d140a2fedf90a44a0ddcac39a607457eabe91a)

RHEL 8

Download the version 3.4.0 software for RedHat Enterprise Linux 8:

  • AWS CloudHSM Client (SHA256 checksum 853b05e6ea6e239f42e1bbf70be26adcc8205d2d172dfc3d57342c14d0060a1e)

  • PKCS #11 Library (SHA256 checksum 51415be53ee10ddc8e85d5bcb0f052a4e29c086434c7fac152b57c7ac37bc3f5)

  • JCE Provider (SHA256 checksum e7a39e46084cab6e193c13c57ea021f0570246cce90b21863d6b40f60a7a8cd7)

  • CloudHSM Management Utility (SHA256 checksum 5de8d9d9a88deae2fffacd4923e429aad885d600adeb1d0bdb771da177fae647)

Ubuntu 16.04 LTS

Download the version 3.4.0 software for Ubuntu 16.04 LTS:

  • AWS CloudHSM Client (SHA256 checksum 1f80e1a7e2fcd35481cc4a6e7fba3869e863becbc09aba32ef2a81a2494c2e49)

  • PKCS #11 Library (SHA256 checksum 8fb002f8d5810ee43b8ef020831372a3a9d0f5a7fa35dca23f7d93a2a74a63bf)

  • OpenSSL Dynamic Engine (SHA256 checksum 2c1717f99cb4a56d47d8517ba97847c644112d0a4f37da435898f77cc794a508)

  • JCE Provider (SHA256 checksum 9f0708e2ec644f5b87dbd6fb0683f690e78371f3ef866d1384ab80e3b4a1c1a6)

  • CloudHSM Management Utility (SHA256 checksum fec730e64467371fbe5b3b8485215712637fe6139fc45832095fb945fb4317d1)

Note

Due to the impending EOL of Ubuntu 16.04, we intend to drop support for this platform with the next release.

Ubuntu 18.04 LTS

Download the version 3.4.0 software for Ubuntu 18.04 LTS:

  • AWS CloudHSM Client (SHA256 checksum a78832a1666b41a85869fc0362c19ecc33113243970a4cc88eeae993c4cd47c1)

  • PKCS #11 Library (SHA256 checksum f9610a82d55b17202c2ad064650199abbc2f8412fe28ef24819a899633feea80)

  • JCE Provider (SHA256 checksum 5b450c1519594b9630f06620c6e23079dcbcaf2999852ea95768c699461585eb)

  • CloudHSM Management Utility (SHA256 checksum 8bdc208a258976c5cb5fa97bcd19a3a5cb156ecfbd507a019c99bf5886b5f03f)

Windows Server

AWS CloudHSM supports 64-bit versions of Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016. The AWS CloudHSM 3.4.0 client software for Windows Server includes the required CNG and KSP providers. For details, see Install and Configure the AWS CloudHSM Client (Windows). Download the latest version (3.4.0) software for Windows Server:

Version 3.4.0 adds updates to all components.

AWS CloudHSM Client Software

  • Improved stability and bug fixes.

PKCS #11 Library

  • Improved stability and bug fixes.

OpenSSL Dynamic Engine

  • Improved stability and bug fixes.

JCE Provider

  • Improved stability and bug fixes.

Windows (CNG and KSP providers)

  • Improved stability and bug fixes.

Previous Client SDK 5 Releases

This section lists previous Client SDK 5 releases. For the current Client SDK 5 release, see Latest Releases.

Amazon Linux

Download the version 5.2.0 software for Amazon Linux:

  • PKCS #11 Library (SHA256 checksum 6ba98c1cd05e80d96e690c146c4d870f34a8971f542a3b7c3b30c96ac2bdf940)

Amazon Linux 2

Download the version 5.2.0 software for Amazon Linux 2:

  • PKCS #11 Library (SHA256 checksum 3df6395a9d15ad3d1b1c19bae78dbac96a704be304d96f9ae9101a78f7573797)

CentOS 7.8+

Download the version 5.2.0 software for CentOS 7.8+:

  • PKCS #11 Library (SHA256 checksum 3df6395a9d15ad3d1b1c19bae78dbac96a704be304d96f9ae9101a78f7573797)

CentOS 8.3+

Download the version 5.2.0 software for CentOS 8.3+:

  • PKCS #11 Library (SHA256 checksum d1d3f8d2ec98ae7bdcc4ffc8e3f6affd4b7d11113ab8480ba2c7dd6ed17c280e)

  • OpenSSL Dynamic Engine (SHA256 checksum f5d8fd0d694c481f6c51a1e9ff2c45873f31df1000db671901a26f5041f905f8)

RHEL 7.8+

Download the version 5.2.0 software for RedHat Enterprise Linux 7.8+:

  • PKCS #11 Library (SHA256 checksum 3df6395a9d15ad3d1b1c19bae78dbac96a704be304d96f9ae9101a78f7573797)

RHEL 8.3+

Download the version 5.2.0 software for RedHat Enterprise Linux 8.3+:

  • PKCS #11 Library (SHA256 checksum d1d3f8d2ec98ae7bdcc4ffc8e3f6affd4b7d11113ab8480ba2c7dd6ed17c280e)

  • OpenSSL Dynamic Engine (SHA256 checksum f5d8fd0d694c481f6c51a1e9ff2c45873f31df1000db671901a26f5041f905f8)

Ubuntu 18.04 LTS

Download the version 5.2.0 software for Ubuntu 18.04 LTS:

  • PKCS #11 Library (SHA256 checksum 25448e26a2f600ee53143779001bb001111aa37d34b861f4a88a7e507eb6ec44)

  • OpenSSL Dynamic Engine (SHA256 checksum 797061b4c4a2550172ec0d49c694ca76ddefc0fb157a2ce39a5f39a650767c36)

Windows Server 2016

Download the latest version 5.2.0 software for Windows Server 2016:

  • PKCS #11 Library (SHA256 checksum 64c9afa1856a7166707d563ab4eedc2dc27132df7f5e76c0467ca996828fff0b)

For information about Windows Server platform support for Client SDK 5, see Supported Platforms.

Windows Server 2019

Download the latest version 5.2.0 software for Windows Server 2019:

  • PKCS #11 Library (SHA256 checksum 64c9afa1856a7166707d563ab4eedc2dc27132df7f5e76c0467ca996828fff0b)

For information about Windows Server platform support for Client SDK 5, see Supported Platforms.

Version 5.2.0 adds support additional key types and mechanisms to the PKCS #11 library.

PKCS #11 Library

Key Types

  • ECDSA– P-224, P-256, P-384, P-521 and secp256k1 curves

  • Triple DES (3DES)

Mechanisms

  • CKM_EC_KEY_PAIR_GEN

  • CKM_DES3_KEY_GEN

  • CKM_DES3_CBC

  • CKM_DES3_CBC_PAD

  • CKM_DES3_ECB

  • CKM_ECDSA

  • CKM_ECDSA_SHA1

  • CKM_ECDSA_SHA224

  • CKM_ECDSA_SHA256

  • CKM_ECDSA_SHA384

  • CKM_ECDSA_SHA512

  • CKM_RSA_PKCS for Encrypt/Decrypt

OpenSSL Dynamic Engine

  • Improved stability and bug fixes.

Amazon Linux

Download the version 5.1.0 software for Amazon Linux:

  • PKCS #11 Library (SHA256 checksum cd9016efeb1d7339be1fda4cff0d32f9144a119077da9f409f7e6f27c1d54c8b)

Amazon Linux 2

Download the version 5.1.0 software for Amazon Linux 2:

  • PKCS #11 Library (SHA256 checksum 9674d705032b39087a8ddaa793647fa0e31968c3ede3ca67f3ea65be4f0d77a1)

CentOS 7.8+

Download the version 5.1.0 software for CentOS 7.8+:

  • PKCS #11 Library (SHA256 checksum 9674d705032b39087a8ddaa793647fa0e31968c3ede3ca67f3ea65be4f0d77a1)

CentOS 8.3+

Download the version 5.1.0 software for CentOS 8.3+:

  • PKCS #11 Library (SHA256 checksum 0c0de23d884500b47cf0df89943f902c5a52cb48a6088693c51e31a240bc0bc3)

  • OpenSSL Dynamic Engine (SHA256 checksum fd2f8f5fca5ed3d92ff602c6673e8b92daa70d904c7428dbe90ea6a7b5492cdb)

RHEL 7.8+

Download the version 5.1.0 software for RedHat Enterprise Linux 7.8+:

  • PKCS #11 Library (SHA256 checksum 9674d705032b39087a8ddaa793647fa0e31968c3ede3ca67f3ea65be4f0d77a1)

RHEL 8.3+

Download the version 5.1.0 software for RedHat Enterprise Linux 8.3+:

  • PKCS #11 Library (SHA256 checksum 0c0de23d884500b47cf0df89943f902c5a52cb48a6088693c51e31a240bc0bc3)

  • OpenSSL Dynamic Engine (SHA256 checksum fd2f8f5fca5ed3d92ff602c6673e8b92daa70d904c7428dbe90ea6a7b5492cdb)

Ubuntu 18.04 LTS

Download the version 5.1.0 software for Ubuntu 18.04 LTS:

  • PKCS #11 Library (SHA256 checksum f03e683f37fe82209451b95704d42716c1e6155611c6c02e7838e5e41c429019)

  • OpenSSL Dynamic Engine (SHA256 checksum 956b51bb5a20a302c938c8ad29542a487b2c85fe7a7c9e3386f7d280d6913058)

Windows Server 2016

Download the latest version 5.1.0 software for Windows Server 2016:

  • PKCS #11 Library (SHA256 checksum 520c9cd19fc48dcf61b2e3f2d1951cefa9ba5e41874a9db7c926a04e03147c8d)

For information about Windows Server platform support for Client SDK 5, see Supported Platforms.

Windows Server 2019

Download the latest version 5.1.0 software for Windows Server 2019:

  • PKCS #11 Library (SHA256 checksum 520c9cd19fc48dcf61b2e3f2d1951cefa9ba5e41874a9db7c926a04e03147c8d)

For information about Windows Server platform support for Client SDK 5, see Supported Platforms.

Version 5.1.0 adds support for additional mechanisms to the PKCS #11 library.

PKCS #11 Library

Mechanisms

  • CKM_RSA_PKCS for Wrap/Unwrap

  • CKM_RSA_PKCS_PSS

  • CKM_SHA1_RSA_PKCS_PSS

  • CKM_SHA224_RSA_PKCS_PSS

  • CKM_SHA256_RSA_PKCS_PSS

  • CKM_SHA384_RSA_PKCS_PSS

  • CKM_SHA512_RSA_PKCS_PSS

  • CKM_AES_ECB

  • CKM_AES_CTR

  • CKM_AES_CBC

  • CKM_AES_CBC_PAD

  • CKM_SP800_108_COUNTER_KDF

  • CKM_GENERIC_SECRET_KEY_GEN

  • CKM_SHA_1_HMAC

  • CKM_SHA224_HMAC

  • CKM_SHA256_HMAC

  • CKM_SHA384_HMAC

  • CKM_SHA512_HMAC

  • CKM_RSA_PKCS_OAEP Wrap/Unwrap only

  • CKM_RSA_AES_KEY_WRAP

  • CKM_CLOUDHSM_AES_KEY_WRAP_NO_PAD

  • CKM_CLOUDHSM_AES_KEY_WRAP_PKCS5_PAD

  • CKM_CLOUDHSM_AES_KEY_WRAP_ZERO_PAD

API Operations

  • C_CreateObject

  • C_DeriveKey

  • C_WrapKey

  • C_UnWrapKey

OpenSSL Dynamic Engine

  • Improved stability and bug fixes.

Amazon Linux

Download the version 5.0.1 software for Amazon Linux:

Amazon Linux 2

Download the version 5.0.1 software for Amazon Linux 2:

CentOS 7.8+

Download the version 5.0.1 software for CentOS 7.8+:

CentOS 8.3+

Download the version 5.0.1 software for CentOS 8.3+:

RHEL 7.8+

Download the version 5.0.1 software for RedHat Enterprise Linux 7.8+:

RHEL 8.3+

Download the version 5.0.1 software for RedHat Enterprise Linux 8.3+:

Ubuntu 18.04 LTS

Download the version 5.0.1 software for Ubuntu 18.04 LTS:

Windows Server 2016

Download the latest version 5.0.1 software for Windows Server 2016:

For information about Windows Server platform support for Client SDK 5, see Supported Platforms.

Windows Server 2019

Download the latest version 5.0.1 software for Windows Server 2019:

For information about Windows Server platform support for Client SDK 5, see Supported Platforms.

Version 5.0.1 adds initial support for OpenSSL Dynamic Engine.

PKCS #11 Library

  • Improved stability and bug fixes.

OpenSSL Dynamic Engine

  • Initial release of OpenSSL Dynamic Engine.

  • This release offers introductory support for key types and OpenSSL APIs:

    • RSA key generation for 2048, 3072, and 4096-bit keys

    • OpenSSL APIs:

    For more information, see OpenSSL Dynamic Engine.

  • Platforms supported: CentOS 8.3+, Red Hat Enterprise Linux (RHEL) 8.3+, and Ubuntu 18.04 LTS

    • Requires: OpenSSL 1.1.1

    For more information, see Supported Platforms.

  • Support for SSL/TLS Offload on CentOS 8.3+, Red Hat Enterprise Linux (RHEL) 8.3, and Ubuntu 18.04 LTS, including NGINX 1.19 (for select cipher suites).

    For more information, see Using SSL/TLS Offload on Linux.

Amazon Linux

Download the version 5.0.0 software for Amazon Linux:

Amazon Linux 2

Download the version 5.0.0 software for Amazon Linux 2:

CentOS 7.8+

Download the version 5.0.0 software for CentOS 7.8+:

CentOS 8.3+

Download the version 5.0.0 software for CentOS 8.2:

RHEL 7.8+

Download the version 5.0.0 software for RedHat Enterprise Linux 7.8+:

RHEL 8.3+

Download the version 5.0.0 software for RedHat Enterprise Linux 8.2:

Ubuntu 18.04 LTS

Download the version 5.0.0 software for Ubuntu 18.04 LTS:

Windows Server 2016

Download the latest version 5.0.0 software for Windows Server 2016:

For information about Windows Server platform support for Client SDK 5, see Supported Platforms.

Windows Server 2019

Download the latest version 5.0.0 software for Windows Server 2019:

For information about Windows Server platform support for Client SDK 5, see Supported Platforms.

Version 5.0.0 is the first release.

PKCS #11 Library

  • This is the initial release.

Introductory PKCS #11 Library Support in Client SDK Version 5.0.0

This section details support for key types, mechanisms, API operations and attributes Client SDK version 5.0.0.

Key Types:

  • AES– 128, 192, and 256-bit AES keys

  • RSA– 2048-bit to 4096-bit RSA keys, in increments of 256 bits

Mechanisms:

  • CKM_AES_GCM

  • CKM_AES_KEY_GEN

  • CKM_CLOUDHSM_AES_GCM

  • CKM_RSA_PKCS

  • CKM_RSA_X9_31_KEY_PAIR_GEN

  • CKM_SHA1

  • CKM_SHA1_RSA_PKCS

  • CKM_SHA224

  • CKM_SHA224_RSA_PKCS

  • CKM_SHA256

  • CKM_SHA256_RSA_PKCS

  • CKM_SHA384

  • CKM_SHA384_RSA_PKCS

  • CKM_SHA512

  • CKM_SHA512_RSA_PKCS

API Operations:

  • C_CloseAllSessions

  • C_CloseSession

  • C_Decrypt

  • C_DecryptFinal

  • C_DecryptInit

  • C_DecryptUpdate

  • C_DestroyObject

  • C_Digest

  • C_DigestFinal

  • C_DigestInit

  • C_DigestUpdate

  • C_Encrypt

  • C_EncryptFinal

  • C_EncryptInit

  • C_EncryptUpdate

  • C_Finalize

  • C_FindObjects

  • C_FindObjectsFinal

  • C_FindObjectsInit

  • C_GenerateKey

  • C_GenerateKeyPair

  • C_GenerateRandom

  • C_GetAttributeValue

  • C_GetFunctionList

  • C_GetInfo

  • C_GetMechanismInfo

  • C_GetMechanismList

  • C_GetSessionInfo

  • C_GetSlotInfo

  • C_GetSlotList

  • C_GetTokenInfo

  • C_Initialize

  • C_Login

  • C_Logout

  • C_OpenSession

  • C_Sign

  • C_SignFinal

  • C_SignInit

  • C_SignUpdate

  • C_Verify

  • C_VerifyFinal

  • C_VerifyInit

  • C_VerifyUpdate

Attributes:

  • GenerateKeyPair

    • All RSA Key attributes

  • GenerateKey

    • All AES Key attributes

  • GetAttributeValue

    • All RSA Key attributes

    • All AES Key attributes

Samples:

Previous Client SDK 3 Releases

This section lists previous Client SDK 3 releases. For the current Client SDK 3 release, see Latest Releases.

To download the software, choose the tab for your preferred operating system, then choose the link to each software package.

Amazon Linux

Download the version 3.3.2 software for Amazon Linux:

  • AWS CloudHSM Client (SHA256 checksum 1f73c4e86fff4c8a3b465f6d21bd81c7c767267476f24c29e45ebab7f470f9a8)

  • PKCS #11 Library (SHA256 checksum d9a4333bddbc7807a34806ff46a63802bc9f4a021358230f1c8292357cd8f43a)

  • OpenSSL Dynamic Engine (SHA256 checksum 16153d539667b16905bd0ec0de3d023ce8af6bddf4eb03eba8f945152322e2e6)

  • JCE Provider (SHA256 checksum 568324f6484049156026e903b886195c1f2e46efa338bb5d5a0a5501a77148aa)

  • CloudHSM Management Utility (SHA256 checksum df9c833de5c828b0de11b3ef93ec41988a7c17bc3950d772c7dc9674876d745f)

Amazon Linux 2

Download the version 3.3.2 software for Amazon Linux 2:

  • AWS CloudHSM Client (SHA256 checksum 2cd5e0b022fe9091e027f019be1ea81923392ca6d065bfcca6532aa5b9492a99)

  • PKCS #11 Library (SHA256 checksum ae062f4675f7547639a8696d39cec1afc09db0b9fa6ded6e335b2a81025ab993)

  • OpenSSL Dynamic Engine (SHA256 checksum a0876a42f802c0fbc67e5301045c435a4a9494ed84110b87c8fc3524e9afc29a)

  • JCE Provider (SHA256 checksum 640c7e3e43ca27178c003ca153a90814f7c78ada3e86a4aa4ce663bb784c4b8d)

  • CloudHSM Management Utility (SHA256 checksum cf76cf044b01d9168a408d78aedae79295626bc4b6eb040d82663c5d8d814f6e)

CentOS 6

AWS CloudHSM does not support CentOS 6 with Client SDK Version 3.3.2.

Use Version 3.2.1 for CentOS 6 or choose a supported platform.

CentOS 7

Download the version 3.3.2 software for CentOS 7:

  • AWS CloudHSM Client (SHA256 checksum 2cd5e0b022fe9091e027f019be1ea81923392ca6d065bfcca6532aa5b9492a99)

  • PKCS #11 Library (SHA256 checksum ae062f4675f7547639a8696d39cec1afc09db0b9fa6ded6e335b2a81025ab993)

  • OpenSSL Dynamic Engine (SHA256 checksum a0876a42f802c0fbc67e5301045c435a4a9494ed84110b87c8fc3524e9afc29a)

  • JCE Provider (SHA256 checksum 640c7e3e43ca27178c003ca153a90814f7c78ada3e86a4aa4ce663bb784c4b8d)

  • CloudHSM Management Utility (SHA256 checksum cf76cf044b01d9168a408d78aedae79295626bc4b6eb040d82663c5d8d814f6e)

CentOS 8

Download the version 3.3.2 software for CentOS 8:

  • AWS CloudHSM Client (SHA256 checksum 696bb3d67b3aca379106a409a8de814174df5b8308a2d4500bee5cfc89f40070)

  • PKCS #11 Library (SHA256 checksum c58992e14d75c0cc7ae9f57746b40be5a4dbc1f2769e9d387eae39107b560749)

  • JCE Provider (SHA256 checksum 95e519d2bf656446141cd227e50447b67d485008e8b38151ea31f2a9ca855b49)

  • CloudHSM Management Utility (SHA256 checksum e1ab86404d162e1169bb80364510119ce2c072fe30fbeb0a06bd2497f980f840)

RHEL 6

AWS CloudHSM does not support RedHat Enterprise Linux 6 with Client SDK Version 3.3.2.

Use Version 3.2.1 for RedHat Enterprise Linux 6 or choose a supported platform.

RHEL 7

Download the version 3.3.2 software for RedHat Enterprise Linux 7:

  • AWS CloudHSM Client (SHA256 checksum 2cd5e0b022fe9091e027f019be1ea81923392ca6d065bfcca6532aa5b9492a99)

  • PKCS #11 Library (SHA256 checksum ae062f4675f7547639a8696d39cec1afc09db0b9fa6ded6e335b2a81025ab993)

  • OpenSSL Dynamic Engine (SHA256 checksum a0876a42f802c0fbc67e5301045c435a4a9494ed84110b87c8fc3524e9afc29a)

  • JCE Provider (SHA256 checksum 640c7e3e43ca27178c003ca153a90814f7c78ada3e86a4aa4ce663bb784c4b8d)

  • CloudHSM Management Utility (SHA256 checksum cf76cf044b01d9168a408d78aedae79295626bc4b6eb040d82663c5d8d814f6e)

RHEL 8

Download the version 3.3.2 software for RedHat Enterprise Linux 8:

  • AWS CloudHSM Client (SHA256 checksum 696bb3d67b3aca379106a409a8de814174df5b8308a2d4500bee5cfc89f40070)

  • PKCS #11 Library (SHA256 checksum c58992e14d75c0cc7ae9f57746b40be5a4dbc1f2769e9d387eae39107b560749)

  • JCE Provider (SHA256 checksum 95e519d2bf656446141cd227e50447b67d485008e8b38151ea31f2a9ca855b49)

  • CloudHSM Management Utility (SHA256 checksum e1ab86404d162e1169bb80364510119ce2c072fe30fbeb0a06bd2497f980f840)

Ubuntu 16.04 LTS

Download the version 3.3.2 software for Ubuntu 16.04 LTS:

  • AWS CloudHSM Client (SHA256 checksum 5797aa27b9ebe0aa52189b0a48a933a7a8ab404e651cbc43ec8dfe73fb03b66c)

  • PKCS #11 Library (SHA256 checksum 155cfb9f5e95ee03bcce298bd43ca3f5a883ae4ed69192d83ef34df2c6a117c7)

  • OpenSSL Dynamic Engine (SHA256 checksum b313ad3fc31fe6031707916567ee30d461a14511328db0b37c00ff0affa42608)

  • JCE Provider (SHA256 checksum 0c0307054bfbff8c15830c5d431f9a21f96409a7969fda1b12379ce5444c56c1)

  • CloudHSM Management Utility (SHA256 checksum e34e317cf3fe11a9b70fbfabc35824f06800f3e2386d8ea02c977564eb3308a4)

Note

Due to the impending EOL of Ubuntu 16.04, we intend to drop support for this platform with the next release.

Ubuntu 18.04 LTS

Download the version 3.3.2 software for Ubuntu 18.04 LTS:

  • AWS CloudHSM Client (SHA256 checksum ccce515a4375e81b1493d641d523eac4599ad813d4fccc062bb872f16d57b094)

  • PKCS #11 Library (SHA256 checksum 25b54341d7efe594f13c7c7accdcbac177241a610e82955bde24b82531236a52)

  • JCE Provider (SHA256 checksum 31cf9953ce86243b73863e1c5b0db21d9dcc4f26fa1c4741a9f0cc9489f389a2)

  • CloudHSM Management Utility (SHA256 checksum 1b6ff0c96cfd7209c16ae69debb669f881a7a920f37226801456f6ec328c612d)

Windows Server

AWS CloudHSM supports 64-bit versions of Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016. The AWS CloudHSM 3.3.2 client software for Windows Server includes the required CNG and KSP providers. For details, see Install and Configure the AWS CloudHSM Client (Windows). Download the latest version (3.3.2) software for Windows Server:

Version 3.3.2 resolves an issue with the client_info script.

AWS CloudHSM Client Software

  • Updated the version for consistency.

PKCS #11 Library

  • Updated the version for consistency.

OpenSSL Dynamic Engine

  • Updated the version for consistency.

JCE Provider

  • Updated the version for consistency.

Windows (CNG and KSP providers)

  • Updated the version for consistency.

To download the software, choose the tab for your preferred operating system, then choose the link to each software package.

Amazon Linux

Download the version 3.3.1 software for Amazon Linux:

Amazon Linux 2

Download the version 3.3.1 software for Amazon Linux 2:

CentOS 6

AWS CloudHSM does not support CentOS 6 with Client SDK Version 3.3.1.

Use Version 3.2.1 for CentOS 6 or choose a supported platform.

CentOS 7

Download the version 3.3.1 software for CentOS 7:

CentOS 8

Download the version 3.3.1 software for CentOS 8:

RHEL 6

AWS CloudHSM does not support RedHat Enterprise Linux 6 with Client SDK Version 3.3.1.

Use Version 3.2.1 for RedHat Enterprise Linux 6 or choose a supported platform.

RHEL 7

Download the version 3.3.1 software for RedHat Enterprise Linux 7:

RHEL 8

Download the version 3.3.1 software for RedHat Enterprise Linux 8:

Ubuntu 16.04 LTS

Download the version 3.3.1 software for Ubuntu 16.04 LTS:

Note

Due to the impending EOL of Ubuntu 16.04, we intend to drop support for this platform with the next release.

Ubuntu 18.04 LTS

Download the version 3.3.1 software for Ubuntu 18.04 LTS:

Windows Server

AWS CloudHSM supports 64-bit versions of Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016. The AWS CloudHSM 3.3.1 client software for Windows Server includes the required CNG and KSP providers. For details, see Install and Configure the AWS CloudHSM Client (Windows). Download the latest version (3.3.1) software for Windows Server:

Version 3.3.1 adds updates to all components.

AWS CloudHSM Client Software

  • Improved stability and bug fixes.

PKCS #11 Library

  • Improved stability and bug fixes.

OpenSSL Dynamic Engine

  • Improved stability and bug fixes.

JCE Provider

  • Improved stability and bug fixes.

Windows (CNG and KSP providers)

  • Improved stability and bug fixes.

To download the software, choose the tab for your preferred operating system, then choose the link to each software package.

Amazon Linux

Download the version 3.3.0 software for Amazon Linux:

Amazon Linux 2

Download the version 3.3.0 software for Amazon Linux 2:

CentOS 6

AWS CloudHSM does not support CentOS 6 with Client SDK Version 3.3.0.

Use Version 3.2.1 for CentOS 6 or choose a supported platform.

CentOS 7

Download the version 3.3.0 software for CentOS 7:

CentOS 8

Download the version 3.3.0 software for CentOS 8:

RHEL 6

AWS CloudHSM does not support RedHat Enterprise Linux 6 with Client SDK Version 3.3.0.

Use Version 3.2.1 for RedHat Enterprise Linux 6 or choose a supported platform.

RHEL 7

Download the version 3.3.0 software for RedHat Enterprise Linux 7:

RHEL 8

Download the version 3.3.0 software for RedHat Enterprise Linux 8:

Ubuntu 16.04 LTS

Download the version 3.3.0 software for Ubuntu 16.04 LTS:

Ubuntu 18.04 LTS

Download the version 3.3.0 software for Ubuntu 18.04 LTS:

Windows Server

AWS CloudHSM supports 64-bit versions of Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016. The AWS CloudHSM 3.3.0 client software for Windows Server includes the required CNG and KSP providers. For details, see Install and Configure the AWS CloudHSM Client (Windows). Download the latest version (3.2.1) software for Windows Server:

Version 3.3.0 adds two-factor authentication (2FA) and other improvements.

AWS CloudHSM Client Software

  • Added 2FA authentication for crypto officers (CO). For more information, see Managing Two-Factor Authentication for Crypto Officers.

  • Removed platform support for RedHat Enterprise Linux 6 and CentOS 6. For more information, see Linux Support.

  • Added a standalone version of CMU for use with Client SDK 5 or Client SDK 3. This is the same version of CMU included with the client daemon of version 3.3.0, and now you can download CMU without downloading the client daemon. For more information, see Download and Install CMU.

PKCS #11 Library

  • Improved stability and bug fixes.

  • Removed platform support for RedHat Enterprise Linux 6 and CentOS 6. For more information, see Linux Support.

OpenSSL Dynamic Engine

  • Updated the version for consistency

  • Removed platform support for RedHat Enterprise Linux 6 and CentOS 6. For more information, see Linux Support.

JCE Provider

  • Improved stability and bug fixes.

  • Removed platform support for RedHat Enterprise Linux 6 and CentOS 6. For more information, see Linux Support.

Windows (CNG and KSP providers)

  • Updated the version for consistency

To download the software, choose the tab for your preferred operating system, then choose the link to each software package.

Amazon Linux

Download the version 3.2.1 software for Amazon Linux:

Amazon Linux 2

Download the version 3.2.1 software for Amazon Linux 2:

CentOS 6

Download the version 3.2.1 software for CentOS 6:

CentOS 7

Download the version 3.2.1 software for CentOS 7:

CentOS 8

Download the version 3.2.1 software for CentOS 8:

RHEL 6

Download the version 3.2.1 software for RedHat Enterprise Linux 6:

RHEL 7

Download the version 3.2.1 software for RedHat Enterprise Linux 7:

RHEL 8

Download the version 3.2.1 software for RedHat Enterprise Linux 8:

Ubuntu 16.04 LTS

Download the version 3.2.1 software for Ubuntu 16.04 LTS:

Ubuntu 18.04 LTS

Download the version 3.2.1 software for Ubuntu 18.04 LTS:

Windows Server

AWS CloudHSM supports 64-bit versions of Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016. The AWS CloudHSM 3.2.1 client software for Windows Server includes the required CNG and KSP providers. For details, see Install and Configure the AWS CloudHSM Client (Windows). Download the latest version (3.2.1) software for Windows Server:

Version 3.2.1 adds a compliance analysis between the AWS CloudHSM implementation of the PKCS #11 library and the PKCS #11 standard, new platforms, and other improvements.

AWS CloudHSM Client Software

  • Add platform support for CentOS 8, RHEL 8, and Ubuntu 18.04 LTS. For more information, see Supported Platforms.

PKCS #11 Library

OpenSSL Dynamic Engine

JCE Provider

  • Add platform support for CentOS 8, RHEL 8, and Ubuntu 18.04 LTS. For more information, see Supported Platforms.

Windows (CNG and KSP providers)

  • Improved stability and bug fixes.

To download the software, choose the tab for your preferred operating system, then choose the link to each software package.

Amazon Linux

Download the version 3.2.0 software for Amazon Linux:

Amazon Linux 2

Download the version 3.2.0 software for Amazon Linux 2:

CentOS 6

Download the version 3.2.0 software for CentOS 6:

CentOS 7

Download the version 3.2.0 software for CentOS 7:

RHEL 6

Download the version 3.2.0 software for RedHat Enterprise Linux 6:

RHEL 7

Download the version 3.2.0 software for RedHat Enterprise Linux 7:

Ubuntu 16.04 LTS

Download the version 3.2.0 software for Ubuntu 16.04 LTS:

Windows Server

AWS CloudHSM supports 64-bit versions of Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016. The AWS CloudHSM 3.2.0 client software for Windows Server includes the required CNG and KSP providers. For details, see Install and Configure the AWS CloudHSM Client (Windows). Download the latest version (3.2.0) software for Windows Server:

Version 3.2.0 adds support for masking passwords and other improvements.

AWS CloudHSM Client Software

PKCS #11 Library

  • Adds support for hashing large data in software for some PKCS #11 mechanisms that were previously unsupported. For more information, see Supported Mechanisms.

OpenSSL Dynamic Engine

  • Improved stability and bug fixes.

JCE Provider

  • Updated the version for consistency.

Windows (CNG and KSP providers)

  • Improved stability and bug fixes.

To download the software, choose the tab for your preferred operating system, then choose the link to each software package.

Amazon Linux

Download the version 3.1.2 software for Amazon Linux:

Amazon Linux 2

Download the version 3.1.2 software for Amazon Linux 2:

CentOS 6

Download the version 3.1.2 software for CentOS 6:

CentOS 7

Download the version 3.1.2 software for CentOS 7:

RHEL 6

Download the version 3.1.2 software for RedHat Enterprise Linux 6:

RHEL 7

Download the version 3.1.2 software for RedHat Enterprise Linux 7:

Ubuntu 16.04 LTS

Download the version 3.1.2 software for Ubuntu 16.04 LTS:

Windows Server

AWS CloudHSM supports 64-bit versions of Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016. The AWS CloudHSM 3.1.2 client software for Windows Server includes the required CNG and KSP providers. For details, see Install and Configure the AWS CloudHSM Client (Windows). Download the latest version (3.1.2) software for Windows Server:

Version 3.1.2 adds updates to JCE Provider.

AWS CloudHSM Client Software

  • Updated the version for consistency

PKCS #11 Library

  • Updated the version for consistency

OpenSSL Dynamic Engine

  • Updated the version for consistency

JCE Provider

  • Update log4j to version 2.13.3

Windows (CNG and KSP providers)

  • Updated the version for consistency

To download the software, choose the tab for your preferred operating system, then choose the link to each software package.

Amazon Linux

Download the version 3.1.1 software for Amazon Linux:

Amazon Linux 2

Download the version 3.1.1 software for Amazon Linux 2:

CentOS 6

Download the version 3.1.1 software for CentOS 6:

CentOS 7

Download the version 3.1.1 software for CentOS 7:

RHEL 6

Download the version 3.1.1 software for RedHat Enterprise Linux 6:

RHEL 7

Download the version 3.1.1 software for RedHat Enterprise Linux 7:

Ubuntu 16.04 LTS

Download the version 3.1.1 software for Ubuntu 16.04 LTS:

Windows Server

AWS CloudHSM supports 64-bit versions of Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016. The AWS CloudHSM 3.1.1 client software for Windows Server includes the required CNG and KSP providers. For details, see Install and Configure the AWS CloudHSM Client (Windows). Download the latest version (3.1.1) software for Windows Server:

AWS CloudHSM Client Software

  • Updated the version for consistency.

PKCS #11 Library

  • Updated the version for consistency.

OpenSSL Dynamic Engine

  • Updated the version for consistency.

JCE Provider

  • Bug fixes and performance improvements.

Windows (CNG, KSP)

  • Updated the version for consistency.

To download the software, choose the tab for your preferred operating system, then choose the link to each software package.

Amazon Linux

Download the version 3.1.0 software for Amazon Linux:

Amazon Linux 2

Download the version 3.1.0 software for Amazon Linux 2:

CentOS 6

Download the version 3.1.0 software for CentOS 6:

CentOS 7

Download the version 3.1.0 software for CentOS 7:

RHEL 6

Download the version 3.1.0 software for RedHat Enterprise Linux 6:

RHEL 7

Download the version 3.1.0 software for RedHat Enterprise Linux 7:

Ubuntu 16.04 LTS

Download the version 3.1.0 software for Ubuntu 16.04 LTS:

Windows Server

AWS CloudHSM supports 64-bit versions of Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016. The AWS CloudHSM 3.1.0 client software for Windows Server includes the required CNG and KSP providers. For details, see Install and Configure the AWS CloudHSM Client (Windows). Download the latest version (3.1.0) software for Windows Server:

Version 3.1.0 adds standards-compliant AES key wrapping.

AWS CloudHSM Client Software

  • A new requirement for upgrade: the version of your client must match the version of any software libraries you are using. To upgrade, you must use a batch command that upgrades the client and all the libraries at the same time. For more information, see Client SDK 3 Upgrade.

  • Key_mgmt_util (KMU) includes the following updates:

    • Added two new AES key wrap methods – standards-compliant AES key wrap with zero padding and AES key wrap with no padding. For more information, see wrapKey and unwrapKey.

    • Disabled ability to specify custom IV when wrapping a key using AES_KEY_WRAP_PAD_PKCS5. For more information, see AES Key Wrapping.

PKCS #11 Library

  • Added two new AES key wrap methods - standards-compliant AES key wrap with zero padding and AES key wrap with no padding. For more information, see AES Key Wrapping.

  • You can configure salt length for RSA-PSS signatures. To learn how to use this feature, see Configurable salt length for RSA-PSS signatures on GitHub.

OpenSSL Dynamic Engine

  • BREAKING CHANGE: TLS 1.0 and 1.2 cipher suites with SHA1 are not available in OpenSSL Engine 3.1.0. This issue will be resolved shortly.

  • If you intend to install the OpenSSL Dynamic Engine library on RHEL 6 or CentOS 6, see a known issue about the default OpenSSL version installed on those operating systems.

  • Improved stability and bug fixes

JCE Provider

  • BREAKING CHANGE: To address an issue with Java Cryptography Extension (JCE) compliance, AES wrap and unwrap now properly use the AESWrap algorithm instead of the AES algorithm. This means Cipher.WRAP_MODE and Cipher.UNWRAP_MODE no longer succeed for AES/ECB and AES/CBC mechanisms.

    To upgrade to client version 3.1.0, you must update your code. If you have existing wrapped keys, you must pay particular attention to the mechanism you use to unwrap and how IV defaults have changed. If you wrapped keys with client version 3.0.0 or earlier, then in 3.1.1 you must use AESWrap/ECB/PKCS5Padding to unwrap your existing keys. For more information, see AES Key Wrapping.

  • You can list multiple keys with the same label from the JCE Provider. To learn how to iterate through all available keys, see Find all keys on GitHub.

  • You can set more restrictive values for attributes during key creation, including specifying different labels for public and private keys. For more information, see Supported Java Attributes.

Windows (CNG, KSP)

  • Improved stability and bug fixes.

Deprecated Releases

AWS CloudHSM deprecates releases from time to time. We do not recommend using deprecated releases in production workloads. We do not provide backwards compatible updates for deprecated releases, nor do we host deprecated releases for download. If you experience production impact while using deprecated releases, you must upgrade to obtain software fixes.

Version 3.0.1 is a strongly recommended upgrade. It provides a critical bug fix for PKCS #11 users.

AWS CloudHSM Client Software

  • Updated the version for consistency.

PKCS #11 Library

OpenSSL Dynamic Engine

  • Updated the version for consistency.

JCE Provider

  • Updated the version for consistency.

Windows (CNG, KSP)

  • Updated the version for consistency.

Version 3.0 provides important improvements to operational stability and performance. This is a recommended update due to various bug fixes.

AWS CloudHSM Client Software

  • Key_mgmt_util includes the following updates:

    • Removed the default mechanism from wrapKey and unwrapKey. You must explicitly provide a mechanism when using these function.

    • Added support for key wrap and unwrap using AES-GCM. To use this wrapping mechanism, specify -m 10 with wrapKey and unwrapKey. For more information, see wrapKey or unwrapKey.

    • Changed the name for AES key wrapping using mechanism 4 from CLOUDHSM_AES_KEY_WRAP to AES_KEY_WRAP_PAD_PKCS5, to reflect that AWS CloudHSM utilizes PKCS5 padding while wrapping keys. For more information, see the list of Known Issues.

    • Improved findKey to return keys owned and shared by the CU that is logged in. For more information, see the findKey article.

    Cloudhsm_mgmt_util includes the following updates:

    • COs can set the OBJ_ATTR_TRUSTED attribute on any key (value 134) in the HSM by using setAttribute to mark a key as trusted.

      Note

      OBJ_ATTR_TRUSTED is the only attribute that can be set by a CO. For more information, see the setAttribute command.

    • findAllKeys displays keys owned by a CU and shared with that CU. Learn more at findAllKeys.

PKCS #11 Library

  • PKCS #11 no longer requires Redis for high performance. Redis is no longer included in the installation packages. If you used Redis in previous installations, update your start-up and installation scripts to remove Redis commands.

  • Added support for encryption and decryption using D3DES ECB and AES_CTR. The full list of supported functions and mechanisms in PKCS#11 is available in the Supported PKCS #11 Mechanisms article.

    Code samples for des_ecb.c and aes_ctr.c are available on GitHub.

  • Added support for key derivation using HMAC KDF (SP 800-108) which enables you to use the CKM_SP800_108_COUNTER_KDF mechanism with the C_DeriveKey function. For additional information see the code sample hmac-kdf.c.

  • Added support for key wrap and unwrap using AES-GCM, through the CKM_CLOUDHSM_AES_GCM mechanism. For more information, see the aes_gcm_wrapping sample on GitHub.

  • Added support for the following attributes: CKA_NEVER_EXTRACTABLE, CKA_DERIVE, CKA_ALWAYS_SENSITIVE, CKA_WRAP_WITH_TRUSTED, CKA_TRUSTED, CKA_WRAP_TEMPLATE, CKA_UNWRAP_TEMPLATE, CKA_DESTROYABLE.

    The full list of supported attributes is in the Supported PKCS #11 Attributes article. To learn about using trusted keys for controlled wrapping and unwrapping, see the article on Using Trusted Keys to Control Key Unwraps. To see the available samples that work with the newly supported attributes, go to the AWS CloudHSM examples on GitHub,

  • Added the mechanism, CKM_CLOUDHSM_AES_GCM, which is a memory-safe AES-GCM implementation. This proprietary mechanism is a safer alternative to the standard CKM_AES_GCM. CKM_CLOUDHSM_AES_GCM prepends the IV generated by the HSM to the ciphertext instead of writing it back into the CK_GCM_PARAMS structure provided during cipher initialization. You can use CKM_CLOUDHSM_AES_GCM with the C_Encrypt or C_WrapKey functions. When using this mechanism, the pIV variable in the CK_GCM_PARAMS struct must be set to NULL. See the CKM_CLOUDHSM_AES_GCM entry in the table in the Supported PCKS#11-Mechanisms article.

OpenSSL Dynamic Engine

  • Updated the version for consistency.

JCE Provider

Windows (CNG, KSP)

  • Updated the version for consistency.

  • Added import_key.exe to associate pre-existing CloudHSM keys with corresponding certificates.

To download the software, choose the tab for your preferred operating system, then choose the link to each software package.

Version 2.0.4 provides important improvements to operational stability and performance. This is a recommended update due to various bug fixes.

AWS CloudHSM Client Software

  • Improved stability and bug fixes.

PKCS #11 Library

  • Updated the version for consistency.

OpenSSL Dynamic Engine

  • Updated the version for consistency.

JCE Provider

  • Improved stability and bug fixes.

Windows (CNG, KSP)

Version 2.0.3 provides important improvements to operational stability and performance. This is a recommended update due to various bug fixes.

AWS CloudHSM Client Software

  • Improved stability and bug fixes.

PKCS #11 Library

  • Improved stability and bug fixes.

OpenSSL Dynamic Engine

  • Updated the version for consistency.

JCE Provider

  • Improved stability and bug fixes.

Windows (CNG, KSP)

  • Improved stability and bug fixes.

Version 2.0.1 is a strongly recommended upgrade, as it provides various security improvements and bug fixes. Significant changes in this version are as follows:

AWS CloudHSM Client Software

  • Security improvements and bug fixes.

PKCS #11 Library

  • Security improvements and bug fixes.

OpenSSL Dynamic Engine

  • Security improvements and bug fixes.

JCE Provider

  • Security improvements and bug fixes.

Windows (CNG, KSP)

  • Security improvements and bug fixes.

Version 2.0.0 provides important improvements to operational stability and performance. It also enables secure key exchange between HSMs. Significant changes in this version are as follows:

AWS CloudHSM Client Software

  • Performance improvements and bug fixes

PKCS #11 Library

  • Added RSA OAEP and RSA AES key wrapping mechanisms.

  • Added AES-ECB encryption support.

  • Added secp256k1 curve support.

For more information about updated key wrapping mechanisms, see AWS CloudHSM Software Library for PKCS #11.

OpenSSL Dynamic Engine

  • Updated the version for consistency.

JCE Provider

  • Improved performance for AES-GCM encrypt and decrypt.

  • Added RSA OAEP and RSA AES key wrapping mechanisms. Note that you cannot specify key attributes when unwrapping with the JCE Provider. For more information, see Known Issues for the JCE SDK.

  • Added AES-ECB encryption support.

  • Added secp256k1 curve support.

For more information about updated key wrapping mechanisms, see AWS CloudHSM Software Library for Java.

Windows (CNG, KSP)

  • Updated the version for consistency.

Version 1.1.2 is a strongly recommended upgrade, as it contains a change that runs the AWS CloudHSM client software for Windows as a service, as well as performance improvements and bug fixes. Significant changes in this version are as follows:

AWS CloudHSM Client Software

  • The AWS CloudHSM client software for Windows now runs as a Windows service.

PKCS #11 Library

  • DER-formatted EC public keys are now correctly imported.

    Note

    At this time, AWS CloudHSM continues to support the ability to import EC keys in raw format. Support for this format may be deprecated at a future time, as it is not compliant with PKCS#11 specifications.

  • Improved performance and bug fixes.

OpenSSL Dynamic Engine

  • Updated the version for consistency.

JCE Provider

  • Updated the version for consistency.

Windows (CNG, KSP)

Significant changes in this version include:

AWS CloudHSM Client Software

  • Improved stability and bug fixes.

  • In cloud_hsm_mgmt_util, enable_e2e now set by default.

  • SECURITY FIX: in key_mgmt_util, resolved issue with the incorrect PKCS#1v1.5 signature parsing. This eliminates potential errors when validating signatures with imported RSA keys that use a public exponent of 3. CloudHSM does not allow generating RSA keys with exponents smaller than 65537 to meet FIPS 140-2 requirements.

PKCS #11 Library

  • Improved stability and bug fixes.

  • SECURITY FIX: Resolved issue with incorrect PKCS#1v1.5 signature parsing. This eliminates potential errors when validating signatures with imported RSA keys that use a public exponent of 3. CloudHSM does not allow generating RSA keys with exponents smaller than 65537 to meet FIPS 140-2 requirements.

  • BREAKING CHANGE: To protect against user error, AES-GCM initialization now requires the user supplied IV buffer to be zeroized. NIST requires the IV for AES-GCM to be generated by the HSM and noted by the application after encryption is complete, as described here. IV is always 12 bytes long.

  • Added support for CKM_RSA_PKCS_KEY_PAIR_GEN mechanism.

  • Added software hashing of buffers larger than 16KB for digest, sign and verify operations. Hashes of buffers less than 16KB continue to be offloaded to the HSM as before.

  • BREAKING CHANGE: Strengthened PKCS#11 compliance, including explicit failure when handling unsupported or inconsistent attributes. If your application was not strictly PKCS#11 compliant before, you may experience errors or failures after updating to this version. Specifically:

    • If an application is already logged in, logging in will now return the error CKR_USER_ALREADY_LOGGED_IN.

    • CKA_KEY_GEN_MECHANISM will cause an error if included in a C_CreateObject call.

    • CKA_ALWAYS_SENSITIVE, CKA_LOCAL and CKA_NEVER_EXTRACTABLE will cause errors if included in a key generation or import template.

    • CKA_VALUE_LEN is now validated.

    • By default, new keys are scoped as session keys rather than token keys, to comply with PKCS#11.

OpenSSL Dynamic Engine

  • Improved stability and bug fixes.

  • SECURITY FIX: Resolved issue with incorrect PKCS#1v1.5 signature parsing. This eliminates potential errors when validating signatures with imported RSA keys that use a public exponent of 3. CloudHSM does not allow generating RSA keys with exponents smaller than 65537 to meet FIPS 140-2 requirements.

JCE Provider

  • Improved stability and bug fixes.

  • Added software hashing of buffers larger than 16KB for digest, sign and verify operations. Hashes of buffers less than 16KB continue to be offloaded to the HSM as before.

  • For non-exportable keys, getFormat and getEncoded now return NULL without throwing an exception.

Windows (CNG, KSP)

  • SECURITY FIX: Resolved issue with incorrect PKCS#1v1.5 signature parsing. This eliminates potential errors when validating signatures with imported RSA keys that use a public exponent of 3. CloudHSM does not allow generating RSA keys with exponents smaller than 65537 to meet FIPS 140-2 requirements.

Significant changes in this version include the following:

AWS CloudHSM Client Software

  • Added new Linux platforms.

    • Amazon Linux 2

    • Ubuntu 16.04 LTS

    • RedHat Enterprise Linux 6 (RHEL 6)

    • RedHat Enterprise Linux 7 (RHEL 7)

    • CentOS 6

    • CentOS 7

CNG/KSP Providers for Windows Server

The AWS CloudHSM client software for Windows Server includes the required CNG and KSP providers.

  • Updated the version for consistency.

PKCS #11 Library

  • Added support for Linux platforms.

OpenSSL Dynamic Engine

  • Added support for Linux platforms.

JCE Provider

  • If you downloaded this package prior to May 23, 5PM PDT, you will need to recompile your application for it to work with this version of the JCE, as the loadNative() method had temporarily changed from non-static to static. Alternatively, you can download the package again, and install the JCE. We have now restored the loadNative() method to static.

  • Eliminated the breaking change in version 1.0.18. The LoginManager.getInstance() public method accepts username and password arguments.

  • Added support for Linux platforms.

Significant changes in this version include the following:

AWS CloudHSM Client Software

Added an AWS CloudHSM client for Windows Server. The following Windows Server operating systems are currently supported:

  • Microsoft Windows Server 2012 (64-bit)

  • Microsoft Windows Server 2012 R2 (64-bit)

  • Microsoft Windows Server 2016 (64-bit)

CNG/KSP Providers for Windows Server

  • Implemented PKCS7Padding for C_DecryptUpdate and C_EncryptUpdate.

  • CKA_ID no longer required for RSA private key generation.

  • Improved multi-threading performance.

  • Fixed various bugs.

PKCS #11 Library

  • Added support for PKCS7Padding.

  • Strengthened checks on key templates.

  • Fixed various bugs.

OpenSSL Dynamic Engine

  • Added support to getCaviumPrivKey for ECC-based keys.

  • Improved stability when client daemon connectivity is lost.

  • Fixed various bugs.

JCE Provider

  • [Breaking Change] The LoginManager.getInstance() public method does not accept username and password arguments directly.

  • Added support for PKCS7Padding.

  • Added wrap and unwrap methods.

  • Improved stability when client daemon connectivity is lost.

  • Fixed various bugs.

Significant changes in this version include the following:

AWS CloudHSM Client Software

  • Improved failover behavior.

  • Displays version metadata.

  • Fixed various bugs.

PKCS #11 Library

  • Implemented PKCS7Padding for C_DecryptUpdate and C_EncryptUpdate.

  • CKA_ID no longer required for RSA private key generation.

  • Improved multi-threading performance.

  • Fixed various bugs.

OpenSSL Dynamic Engine

  • Added support for CSRs for ECC keys.

  • Improved stability and failure handling.

JCE Provider

No changes. Updated the version number for consistency.

Significant changes in this version include the following:

AWS CloudHSM Client Software

  • Improved load balancing.

  • Improved performance.

  • Improved handling of lost server connections.

PKCS #11 Library

  • Added support for the CKM_RSA_PKCS_PSS sign/verify mechanism.

OpenSSL Dynamic Engine

  • Updated the version for consistency.

JCE Provider

  • Improved the performance of several algorithms.

  • Added Triple DES (3DES) key import feature.

  • Various bug fixes.

Significant changes in this version include the following:

AWS CloudHSM Client Software

  • Updated the key_mgmt_util command line tool to enable AES wrapped key import.

  • Improved performance.

  • Fixed various bugs.

PKCS #11 Library

  • Updated the version for consistency.

OpenSSL Dynamic Engine

  • Updated the version for consistency.

JCE Provider

  • Added support for additional algorithms.

  • Improved performance.

Significant changes in this version include the following:

AWS CloudHSM Client Software

  • Improved setup experience.

  • Added respawning to the client upstart service.

  • Fixed various bugs.

PKCS #11 Library

  • Fixed bugs to address relative paths in the Redis setup.

OpenSSL Dynamic Engine

  • Improved performance.

JCE Provider

  • Updated the version for consistency.

Significant changes in this version include the following:

AWS CloudHSM Client Software

  • Added the pkpspeed performance testing tool.

  • Fixed bugs to improve stability and performance.

PKCS #11 Library

  • Added an accelerated version of the library that uses a Redis local cache to improve performance.

  • Fixed bugs related to attribute handling.

  • Added the ability to generate ECDSA keys.

OpenSSL Dynamic Engine

  • Updated the version for consistency.

JCE Provider

  • Added support for additional algorithms.

  • Signed the JAR files for compatibility with the Sun JCE provider.

This is the initial release.

End-of-life Releases

AWS CloudHSM announces end of life for releases no longer compatible with the service. To preserve the safety of your application, we reserve the right to actively refuse connections from end-of-life releases.

  • Currently no versions of the client SDK are end-of-life releases.