Quorum authentication process for CloudHSM CLI

The following steps summarize the quorum authentication processes for CloudHSM CLI. For the specific steps and tools, see Key management and usage with quorum authentication enabled for AWS CloudHSM using CloudHSM CLI.

Each hardware security module (HSM) user creates an asymmetric key for signing. Users do this outside of the HSM, taking care to protect the key appropriately.
Each HSM user logs in to the HSM and registers the public part of their signing key (the public key) with the HSM.
When an HSM user wants to do a quorum-controlled operation, the same user logs in to the HSM and gets a quorum token.
The HSM user gives the quorum token to one or more other HSM users and asks for their approval.
The other HSM users approve by using their keys to cryptographically sign the quorum token. This occurs outside the HSM.
When the HSM user has the required number of approvals, the same user logs in to the HSM and runs the quorum-controlled operation with the --approval argument, supplying the signed quorum token file, which contains all necessary approvals (signatures).
The HSM uses the registered public keys of each signer to verify the signatures. If the signatures are valid, the HSM approves the token and the quorum-controlled operation is performed.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Manage quorum authentication (M of N)

Supported services and types