rday
commented
1 month ago Hi @rretanubun !
I am not familiar with your tool, so I can't say whether it will work. If your tool is parsing the URL into a slot and PIN, you should be ok. However, our library does not support pkcs11-url so your tool would have to do the heavy lifting.
For your second and third questions, yes, we charge hourly regardless of load. We aren't able to dive into your particular use case here, but this is something your account manager or customer support would be able to assist with. There may be a way to get you onboarded with the right service.
rretanubun
Hello, I am looking for some advice and clarification on migrating an existing USB based HSM to the cloud.
My workflow today
I am using a python script and able to sign using USB HSM using its
pkcs11-URLlike this: https://github.com/rretanubun/mcuboot/blob/imgtool-pkcs11-signing/scripts/pkcs11_example.sh#L15Now I want to use the same pkcs-11 URL but point to to a cloud-based HSM running from inside a github action.
Questions on CloudHSM
1.0 My fuzzy understanding is this is a supported use case for CloudHSM once I bootstrap the key ? 1.1 If not, what am I missing? 2.0 Once I setup a
CloudHSMwe pay the hourly fee for that HSM even when it is not in use (as long as it exist?) i.e. cost per month is730 hour-in-a-month X <cost-per-hour-for-region>, even if the HSM only signs things 4 times in a month, is that correct?Alternate: Questions on AWS (KMS) Key Management Service
Apologies if this is not the right forum, I am happy to move this to the correct one (I am not sure where). 1.0 My understanding is that AWS KSM does not have
pkcs11-urlintegration? I would love to be wrong here since the pricing is more friendly to our use case, and because google-KMS seems to have supportIs there an alternate approach within AWS that I have not considered?
Thank you for everyone's time!