I am working on finding the feasibility of integrating AWS CloudHSM to our existing C# application and finding a little bit of difficulty in understanding all the flow. I've seen the AWS CloudHSM page where the guide is understandable but all those examples are by using the separate utility to create and manage the HSM, Keys, Users, etc.
I'll try to put what I've looked at so far. To support AWS CloudHSM on windows I need to do the following tasks.
Install (.msi) and configure the AWS CloudHSM client to configure and create HSM, User, keys, etc. on EC2 instance.
a. Alternatively, I found that there is a NuGet package available with names "AWSSDK.CloudHSM" and "AWSSDK.CloudHSMV2" which provides limited functionality to create and maintain the HSMs. Readme in the package says that "With CloudHSM, you control the encryption keys and cryptographic operations performed by the HSM." but I did not find a way to create/import keys into the HSMs using the package functions.
Packages
"AWSSDK.CloudHSM" https://www.nuget.org/packages/AWSSDK.CloudHSM
"AWSSDK.CloudHSMV2" https://www.nuget.org/packages/AWSSDK.CloudHSMV2
Install the Amazon Client SDK 3 if we want to go for CNG and KSP Providers or install the latest SDK 5 to work with PKCS #11 Library.
a. I've seen an example in AWS and it is working with C code. I just wanted to know while using CNG and KSP providers with C# how can we access the key from CloudHSM to sign the data.
Questions
- Is the above assumption true on how to set up and use CloudHSM?
- Can someone please provide more insights, even JAVA implementation insights would give me the heads-up.
- Am I missing something, do I need to set up something else as well?