Installation
This guide provides an overview of the setup needed to integrate AWS BYOK with Securosys HSMs.
Prerequisites
You need:
- An AWS account with the AWS Key Management Service (KMS) enabled.
- A Primus HSM or a CloudHSM.
Step 1: HSM configuration
The HSM needs some configuration. For CloudHSM, this is managed for you by Securosys. Check that your subscription includes the required features. For on-premise HSMs, follow the steps below. For more details, see the Primus HSM User Guide.
JCE
Enable the JCE API, both on the device-level and on the partition-level. This requires the HSM to have a JCE licence.
JCE is required because we will use the Primus Tools to create the key. If you use a different tool for creating the key, you may need to enable a different API (for example, PKCS#11).
- UI
- Serial
SETUP → CONFIGURATION → SECURITY → DEVICE SECURITY → CRYPTO POLICY → JCE
SETUP → CONFIGURATION → SECURITY → USER SECURITY → JCE
hsm_sec_set_config jce=true
hsm_sec_enter_user_config
hsm_user_set_config jce=true
Key export and key extract
Enable Key Export and Key Extract on the partition level (SO activation required).
This is required to later export a wrapped version of the key.
- UI
- Serial
SETUP → CONFIGURATION → SECURITY → USER SECURITY → KEY EXPORT
SETUP → CONFIGURATION → SECURITY → USER SECURITY → KEY EXTRACT
hsm_sec_enter_user_config
hsm_user_set_config key_export=true
hsm_user_set_config key_extract=true
Step 2: Primus Tools
Install the Primus Tools. We will use the Primus Tools for creating keys and exporting them for import into AWS.
What's next
Continue with the tutorial to set up BYOK with AWS KMS.