AWS cloud HSM
Make sure you have:
- Provisioned an AWS CloudHSM cluster ↗ .
- Installed the appropriate software library for PKCS#11 ↗.
Before importing the public key, extract it from the certificate provided by your CA. Place the contents of your private key in privkey.pem and then run the following (replacing certificate.pem with your actual certificate) to populate pubkey.pm.
keyserver$ openssl x509 -pubkey -noout -in certificate.pem > pubkey.pemLog in to the CloudHSM using a previously created crypto user ↗ (CU) account and generate a key encryption key that will be used to import your private key.
keyserver$ /opt/cloudhsm/bin/key_mgmt_utilCommand: loginHSM -u CU -s patrick -p donahueCommand: genSymKey -t 31 -s 16 -sess -l import-wrapping-key...Symmetric Key Created. Key Handle: 658...Referencing the key handle returned above, import the private and public key and then log out of the HSM:
Command: importPrivateKey -f privkey.pem -l mykey -id 1 -w 658...Cfm3WrapHostKey returned: 0x00 : HSM Return: SUCCESSCfm3CreateUnwrapTemplate returned: 0x00 : HSM Return: SUCCESSCfm3UnWrapKey returned: 0x00 : HSM Return: SUCCESS...Private Key Unwrapped. Key Handle: 658
Command: importPubKey -f pubkey.pem -l mykey -id 1Cfm3CreatePublicKey returned: 0x00 : HSM Return: SUCCESS...Public Key Handle: 941
Command: logoutHSMCommand: exitNow that the keys are in place, we need to modify the configuration file that the key server will read on startup. Change the object=mykey and pin-value=username:password values to match the key label you provided and CU user you created.
Open /etc/keyless/gokeyless.yaml and immediately after:
private_key_stores: - dir: /etc/keyless/keysadd:
- uri: pkcs11:token=cavium;object=mykey?module-path=/opt/cloudhsm/lib/libcloudhsm_pkcs11_standard.so&pin-value=patrick:donahue&max-sessions=1With the config file saved, restart gokeyless and verify it started successfully.
sudo systemctl restart gokeyless.servicesudo systemctl status gokeyless.service -l