AWS CloudHSM - AWS cryptography services


AWS CloudHSM is a cryptographic service for creating and maintaining hardware security modules (HSMs) in your AWS environment. HSMs are computing devices that process cryptographic operations and provide secure storage for cryptographic keys. You can use AWS CloudHSM to offload SSL/TLS processing for web servers, protect private keys linked to an issuing certificate authority (CA), or enable Transparent Data Encryption (TDE) for Oracle databases.

When you use an HSM from AWS CloudHSM, you can perform a variety of cryptographic tasks:

  • Generate, store, import, export, and manage cryptographic keys, including symmetric keys and asymmetric key pairs.

  • Use symmetric and asymmetric algorithms to encrypt and decrypt data.

  • Use cryptographic hash functions to compute message digests and hash-based message authentication codes (HMACs).

  • Cryptographically sign data (including code signing) and verify signatures.

  • Generate cryptographically secure random data.

AWS CloudHSM organizes HSMs in clusters, which are automatically synchronized collections of HSMs within a given Availability Zone (AZ). By adding more HSMs to a cluster and distributing clusters across AZs, you can load balance the cryptographic operations being performed within your cloud environment and provide redundancy and high availability in case of AZ failure. Additionally, AWS CloudHSM periodically generates and stores backups of your clusters, making CloudHSM data recovery secure and simple.

The keys that you generate in AWS KMS are protected by FIPS 140-2 validated cryptographic modules. If you want a managed service for creating and controlling encryption keys, but do not want or need to operate your own HSM, consider using AWS Key Management Service.

To learn more about what you can do with AWS CloudHSM, see the AWS CloudHSM User Guide.