Bring Your Own Key (BYOK) for AWS
This guide explains how to use Bring Your Own Key (BYOK) with Securosys CloudHSM and on-premises Primus HSM to bring your keys to AWS KMS.
AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the cryptographic keys that are used to protect your data across your applications and more than 100 AWS services. Use AWS KMS to encrypt data across your AWS workloads, digitally sign data, encrypt within your applications using AWS Encryption SDK, and generate and verify message authentication codes (MACs). AWS KMS uses hardware security modules (HSM) to protect and validate your AWS KMS keys.
Securosys CloudHSM is a Hardware Security Module (HSM) available as cloud service, without having to worry about time consuming things like evaluation, setup, operation, redundancy, and maintenance of the HSM infrastructure, and is scalable according to your needs. The redundant cluster architecture, providing different redundant regions up to redundant world-wide cluster, integrates perfectly to bring your own key to AWS key management service.
Architecture
When using BYOK with AWS KMS, you create a key on an external HSM controlled by you (and not AWS). You then import this key into AWS KMS. Note that this means that AWS KMS receives a copy of the secret key.
Using BYOK with AWS KMS has the following advantages:
- Use an existing key and bring it to AWS (for example, an existing PKI signing key)
- Keep a copy of the key outside of AWS (for example, for disaster recovery)
- Generate the key with a trusted source of entropy
Target Audience
This document is intended for Securosys Primus HSM or CloudHSM administrators and users. Familiarity with AWS services, in particular AWS KMS, is assumed.
For on-premises HSM deployed operation administrative skills are required for Securosys Primus HSMs.
Support Contact
If you encounter a problem while installing/configuring the provider or integrating the HSM, make sure that you have read the referenced documentation. If you cannot resolve the issue, please contact Securosys Customer Support.
What's Next
Get started with AWS Bring Your Own Key:
- Consult the Quickstart page for a quick overview.
- Follow the Installation guide.
- Step through the Tutorial.