Managing an AWS CloudHSM Key Store from CCKM
This section describes how to perform the following steps from CCKM:
Create a CloudHSM Key Store
From CCKM, you have the ability to create an AWS CloudHSM key store within AWS Cloud. After the store is created, you can proceed to creating your CloudHSM keys within the key store from CCKM. For information, see Creating CloudHSM Keys.
Note
A newly created key store will be in a disconnected state.
Note
You can only use an unused AWS CloudHSM cluster to create an AWS CloudHSM key store. For more information, refer to AWS CloudHSM documentation.
Note
Ensure to download the trust anchor certificate of the AWS CloudHSM prior to creating a CloudHSM key store and save it to a secure location. For more information, refer to the AWS CloudHSM User Guide.
-
Open the Cloud Key Manager application.
-
In the left pane, click KMS Containers > AWS KMS Accounts. The AWS KMS Accounts page is displayed.
-
Click the name of the account that will own the key store. The account details page is displayed.
-
Under CloudHSM Key Stores, click the + Add CloudHSM Key Store button. You might have to expand the CloudHSM Key Stores section to view the button. The Add CloudHSM Key Store screen displays.
-
In the Add CloudHSM Key Store screen, provide the following settings:
-
Select the Region in which the store will reside.
-
Enter the Key Store Name using a friendly name for the key store.
-
Select the AWS CloudHSM Cluster from the drop-down list to which to associate with the key store.
Note
Only unused CloudHSM clusters display in the drop-down list.
-
Click Choose File, select the trust anchor certificate file of the AWS CloudHSM cluster. This certificate file was created during the initialization of the cluster. AWS KMS will use the trust anchor certificate to connect the key store to the cluster. For more information, refer to the AWS CloudHSM User Guide.
-
Enter the Password of the
kmuser
crypto user (CU) account. When AWS KMS logs into the cluster, it uses this user to manage key material on your behalf. -
Click Save
The new CloudHSM key store is displayed under CloudHSM Key Stores.
View and Edit Details of a CloudHSM Key Store
You have the option to edit the key store name, AWS CloudHSM cluster, and password of an existing CloudHSM key store.
Note
A CloudHSM key store must be in a disconnected state before you can edit its key store name, associated cluster, or password. Be sure to disconnect the key store from the associated CloudHSM cluster before editing the key store.
-
Open the Cloud Key Manager application.
-
In the left pane, click KMS Containers > AWS KMS Accounts. The AWS KMS Accounts page is displayed.
-
Click the name of the account that owns the key store. The account details page is displayed.
-
Under CloudHSM Key Stores, find the desired CloudHSM key store name.
-
From the CloudHSM Key Stores display, click the ellipsis icon associated with the desired CloudHSM key store.
-
Click View/Edit Details. The General Info section of the view/edit details page displays.
-
(Optional) Enter the new key store name in Key Store Name, if you wish to use a different name.
-
(Optional) Select another AWS CloudHSM Cluster to which to associate with the key store from the drop-down list, if you wish to use a different cluster.
-
(Optional) Enter your new Password of the
kmuser
CU account, if you wish to change this password. -
Click Update.
Delete a CloudHSM Key Store
Before proceeding to delete a key store, be sure to delete all of the CloudHSM keys within it. You will have schedule to delete the keys. For more information, see Schedule Deletion of a Key. Thereafter, disconnect the key store from its associated AWS CloudHSM cluster. You can then proceed to deleting the key store after disconnecting the key store.
Warning
Deleting a CloudHSM key store is a irreversible operation, which permanently deletes the store from the AWS Cloud.
-
Open the Cloud Key Manager application.
-
In the left pane, click KMS Containers > AWS KMS Accounts. The AWS KMS Accounts page is displayed.
-
Click the name of the account that owns the key store. The account details page is displayed.
-
Under CloudHSM Key Stores, find the desired CloudHSM key store name.
-
From the CloudHSM Key Stores display, click the ellipsis icon associated with the desired CloudHSM key store.
-
Click Delete Store.
-
You are prompted to confirm the deletion. Enable the I wish to delete this Key Store checkbox and click Delete.
Connect to a CloudHSM Key Store
A newly created key store will be in a disconnected state. Connect the key store to the AWS CloudHSM cluster you wish to use for the store before creating keys within your key store.
Note
After a successful connection between a key store and a CloudHSM cluster, AWS KMS changes the password of the kmuser
CU account (associated with the key store) for security reasons. Before attempting to connect again, reset this password.
Note
Ensure that the kmuser
CU is not be logged into the key store's associated AWS CloudHSM cluster. Otherwise, the AWS KMS is prevented from logging into the account in which the store is added.
-
Open the Cloud Key Manager application.
-
In the left pane, click KMS Containers > AWS KMS Accounts. The AWS KMS Accounts page is displayed.
-
Click the name of the account that owns the key store. The account details page is displayed.
-
Under CloudHSM Key Stores, find the desired CloudHSM key store name.
-
From the CloudHSM Key Stores display, click the ellipsis icon associated with the desired CloudHSM key store.
-
Click Connect. The Connect Key Store page displays.
-
You are prompted to confirm that you wish to connect to the key store. Enter the password to use to connect to the key store and then click Connect. This is the password for the
kmuser
CU account, which you entered when you created the CloudHSM key store.
Disconnect a CloudHSM Key Store
-
Open the Cloud Key Manager application.
-
In the left pane, click KMS Containers > AWS KMS Accounts. The AWS KMS Accounts page is displayed.
-
Click the name of the account that owns the key store. The account details page is displayed.
-
Under CloudHSM Key Stores, find the desired CloudHSM key store name.
-
From the CloudHSM Key Stores display, click the ellipsis icon associated with the desired CloudHSM key store.
-
Click Disconnect. The Disconnect Key Store page displays.
-
You are prompted to confirm that you wish to disconnect the key store. Click Disconnect.