AWS CloudHSM
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Windows AWS CloudHSM Prerequisites

Before you can start the Windows AWS CloudHSM client and use the KSP and CNG providers, you must set the login credentials for the HSM on your system. You can set credentials through either Windows Credentials Manager or system environment variable. We recommend you use Windows Credential Manager for storing credentials. This option is available with AWS CloudHSM client version 2.0.4 and later. Using environment variable is easier to set up, but less secure than using Windows Credential Manager.

Windows Credential Manager

You can use either the set_cloudhsm_credentials utility or the Windows Credentials Manager interface.

  • Using the set_cloudhsm_credentials utility:

    The set_cloudhsm_credentials utility is included in your Windows installer. You can use this utility to conveniently pass HSM login credentials to Windows Credential Manager. If you want to compile this utility from source, you can use the Python code that is included in the installer.

    1. Go to the C:\Program Files\Amazon\CloudHSM\tools\ folder.

    2. Run the set_cloudhsm_credentials.exe file with the CU username and password parameters.

      set_cloudhsm_credentials.exe --username <cu-user> --password <cu-pwd>
  • Using the Credential Manager interface:

    You can use the Credential Manager interface to manually manage your credentials.

    1. To open Credential Manager, type credential manager in the search box on the taskbar and select Credential Manager.

    2. Select Windows Credentials to manage Windows credentials.

    3. Select Add a generic credential and fill out the details as follows:

      • In Internet or Network Address, enter the target name as cloudhsm_client.

      • In Username and Password enter the CU credentials.

      • Click OK.

System Environment Variables

You can set system environment variables that identify an HSM and a crypto user (CU) for your Windows application. You can use the setx command to set system environment variables, or set permanent system environment variables programmatically or in the Advanced tab of the Windows System Properties Control Panel.

Warning

When you set credentials through system environment variables, the password is available in plaintext on a user’s system. To overcome this problem, use Windows Credential Manager.

Set the following system environment variables:

n3fips_password=CU-username:CU-password

Identifies a crypto user (CU) in the HSM and provides all required login information. Your application authenticates and runs as this CU. The application has the permissions of this CU and can view and manage only the keys that the CU owns and shares. This CU must be available in the HSM specified by the n3fips_partition environment variable. To create a new CU, use createUser. To find existing CUs, use listUsers.

For example:

setx /m n3fips_password test_user:password123