Any plans to support AWS CloudHSM?

[apipersenia]

Hi!

are there any plans to support AWS CloudHSM?

Thanks!

[bentonstark]

It is already supported. AWS CloudHSM uses Cavium Liquid Security appliances on the back-end systems. That said, Cavium has a much more limited set of cryptographic mechanisms and algorithms than many other HSM vendors. So depending on what operations you want to do you will run into those limitation whether you use py-hsm or any other way to access the AWS CloudHSM. In fact there was a recent issue raised about it here.

[bentonstark]

If your question is about modifying the libhsm code to disable CKA attributes that Cavium doesn't support in the current firmware version running on CloudHSM I might be talked into providing a path to disable those attributes. But those are bugs in Cavium's firmware and client software that do not affect any other HSM vendor I have tested. So I have no plans to provide any other changes to explicitly support Cavium other than possibly a patch that could be applied or a separate code branch until they get the fix pushed out to all the AWS Cavium HSMs. See list of known Cavium HSM issues for AWS CloudHSM. https://docs.aws.amazon.com/cloudhsm/latest/userguide/KnownIssues.html#ki-pkcs11-sdk

[apipersenia]

thanks so much for the quick response! I am excited try this. Any plans to expand the supported linux distros for libhsm to include ubuntu?

[bentonstark]

I would really like to get libhsm packaged into Debian / Ubuntu and even Fedora if possible. Although one of my libraries has been packaged up into Fedora repos I did not actually do it. Any advise or experience as to how to get that done would be appreciated.