Comment by bawolff
4 days ago
Or they just dont want to be put in the position of having to give out keys.
I think the real paranoid people use cloudHSM.
4 days ago
Or they just dont want to be put in the position of having to give out keys.
I think the real paranoid people use cloudHSM.
Both KMS and CloudHSM are FIPS 140-2 Level 3 and AWS claims they cannot read private keys from KMS. The main difference is KMS uses IAM and the AWS REST API while CloudHMS uses PKCS #11/JCE and a separate permissions system.
The docs say both use HSM. Under "Secure" in the accordion menu https://aws.amazon.com/kms/features/#topic-0
My understanding is that AWS KMS uses AWS designed HSMs and are tightly integrated with all AWS services while while CloudHSM uses LiquidSecurity 2 Cloud HSM adapters and use more conventional APIs
https://www.marvell.com/products/security-solutions/liquidse...
1 reply →