Managing all my keys on such a service would mean trusting Amazon will not hand them over to NSA and friends (with our without NSL or sealed indictment). Which I'm rather sceptical about, tbh, considering Amazon makes quite a lot of business with governments of all sorts.
EDIT: to clarify, my comment was about keys that would otherwise not sit on, or be used by, AWS images. If you make the effort to use such a tool, it makes sense to store all your keys, not just stuff that would have ended up on AWS anyway; and that's where the risk lies.
If you are invested on AWS does it really matter?
They own the metal your software runs on and they can look at it regardless if you give them the key or not.
DevOps here! If they can capture the memory contents of your VM, you've already lost. Get some gear, and colo it in a non-US country if you're paranoid about the NSA.
Exactly this. I have been looking at things that make self hosting email easier, and lots of them include encrypted file systems. I don't really get why. Once someone has any type of access to a server, you are done for. By its nature cloud hosting means that the provider can read everything from your VPS, including passwords you type into it and keys you store on it, and they can be compelled to do just that. Not saying you should stop using AWS and the like, but I think adding security fences inside your VPS is only giving you diminishing returns.
Your other option is to keep the keys on the instances themselves (if you want keys in your Amazon infrastructure). In other words, this is no worse from the NSA/NSL perspective, but better from a security perspective.
AWS CloudHSM provides you with a dedicated hardware device installed in your Amazon Virtual Private Cloud (VPC) that provides a FIPS 140-2 Level 2 validated single-tenant HSM to store and use your keys. You have total control over your keys and the application software that uses them with CloudHSM.
AWS KMS allows you to control the encryption keys used by your applications and supported AWS services in multiple regions around the world from a single console. Centralized management of all your keys in AWS KMS lets you enforce who can use your keys, when they get rotated, and who can manage them. AWS KMS integration with AWS CloudTrail gives you the ability to audit the use of your keys to support your regulatory and compliance activities.
You can get the keys off of a HSM with a scanning tunneling electron microscope, a lot of time, and some electronics engineers depending on the type of hardware. It is possible, but unbelievably more difficult.
If the get the server with the hsm in it via a NSL, game over. That being said, it is impossible for a hack to get the private keys, so this is still a massive win.
No, you can't. You can verify that you're communicating with an API that is consistent with a HSM -- but how are you going to verify that it's not a software HSM on a VM on x86 hardware?
That doesn't verify that you're communicating with an actual HSM, just that you're communicating with something operating like a HSM, that has a key signed by someone that promise they'll only sign keys of actual HSMs.
It's a good initiative, and as long as you trust the company, you can trust that they probably haven't signed a compromised key, or that someone's been able to extract the key from a HSM (something that's really hard, but see eg: the (first) XBOX hack involving an electron microscope for reading key-bits from ROM).
If you can't trust safenet then you shouldn't use their HSM. They gave you the process of verifying that the HSM is a safenet hardware security module and that is a FIPS compliant one.
This is actually a really cool feature - the CloudHSM offering is both (very) expensive and not user friendly. This should help with big clients requiring HSMs or the like.
So many cool services could be built with this if there's an open API.
Edit: Sadly, it seems there's no out of the box ELB support... Would be great for TLS termination.
For ELB TLS termination, AWS already stores your TLS key securely in IAM, probably using some of the same underlying technologies. What sort of integration do you want between KMS and ELB?
Securely doesn't equate to what a HSM provides. I'd be doubtful if they are (using them) right now...
If IAM gets compromised, an attacker can take the key and run, opposed to them only being able to use it while they have access to the HSM. Not saying it's likely to happen.
A re:Invent banner was all over AWS sites for half a year now, I can't believe that this is it.
I was expecting Jeff standing up in a suit and talking to a live audience. Instead, there is what appears to be a pre-recorded video stream of advertisements on how AWS is great:
>Think you're a good architect? These 12 tips will help you get around our global, fast and secure AWS infrastructure.
This week is the AWS re:Invent conference, lots of announcements are made during it. These were announced at the keynote today, and there's another keynote tomorrow.
Managing all my keys on such a service would mean trusting Amazon will not hand them over to NSA and friends (with our without NSL or sealed indictment). Which I'm rather sceptical about, tbh, considering Amazon makes quite a lot of business with governments of all sorts.
EDIT: to clarify, my comment was about keys that would otherwise not sit on, or be used by, AWS images. If you make the effort to use such a tool, it makes sense to store all your keys, not just stuff that would have ended up on AWS anyway; and that's where the risk lies.