Comment by UltraSane

Comment by UltraSane 4 days ago

3 replies

View on Hacker News

Both KMS and CloudHSM are FIPS 140-2 Level 3 and AWS claims they cannot read private keys from KMS. The main difference is KMS uses IAM and the AWS REST API while CloudHMS uses PKCS #11/JCE and a separate permissions system.

nijave 3 days ago

The docs say both use HSM. Under "Secure" in the accordion menu https://aws.amazon.com/kms/features/#topic-0

Reply View 2 replies
  • UltraSane 3 days ago

    My understanding is that AWS KMS uses AWS designed HSMs and are tightly integrated with all AWS services while while CloudHSM uses LiquidSecurity 2 Cloud HSM adapters and use more conventional APIs

    https://www.marvell.com/products/security-solutions/liquidse...

    Reply View 1 reply
    • nijave 2 days ago

      >My understanding is that AWS KMS uses AWS designed HSMs

      That's my take as well reading about how they handle firmware (sounds like they're using their own chips, presumably similar to how they use other hardware acceleration and offload)

      Reply View 0 replies