This guide provides instructions on securing Infisical project secrets using AWS CloudHSM. Integration with AWS CloudHSM is achieved by configuring it as a custom key store for AWS KMS. Follow the steps below to set up AWS KMS with AWS CloudHSM as the custom key store.

Prepare AWS CloudHSM Cluster

Before you get started, you’ll need to configure a AWS CloudHSM cluster which meets the following criteria:

  • The cluster must be active.
  • The cluster must not be associated with any other AWS KMS custom key store.
  • The cluster must be configured with private subnets in at least two Availability Zones in the Region.
  • The security group for the cluster must include inbound and outbound rules that allow TCP traffic on ports 2223-2225.
  • The cluster must contain at least two active HSMs in different Availability Zones.

For more details on setting up your cluster, refer to the following AWS documentation.

Set Up AWS KMS Custom Key Store

To set up an AWS KMS custom key store with AWS CloudHSM, you will need the following:

  • The trust anchor certificate of your AWS CloudHSM cluster.
  • A kmsuser user in the AWS CloudHSM cluster with the crypto-user role.
1

Navigate to Key store creation page

In the AWS console, head over to AWS KMS > AWS CloudHSM key stores and click Create key store.

2

Add key store name

Input the custom key store name.

3

Select HSM cluster

Select the AWS CloudHSM cluster. You should be able to select the cluster if it meets the required criteria mentioned above.

4

Upload trust anchor certificate

Upload your CloudHSM’s cluster trust anchor certificate file.

5

Provide cluster user password

Input the password of the kmsuser crypto-user in your cluster.

6

Finish key store creation

Proceed with creating the AWS CloudHSM key store.

For more details, refer to the following AWS documentation.

Create AWS KMS Key

Next, you’ll need to create a AWS KMS key where you will set the key store you created previously.

1

Navigate to AWS KMS key creation page

In your AWS console, proceed to AWS KMS > Customer managed keys and click Create.

2

Set key options

Set Key type to Symmetric and Key usage to Encrypt and decrypt.

3

Select key material origin

In the advanced options, for the Key material origin field, select AWS CloudHSM key store. Then, click next.

4

Choose key store

Select the AWS CloudHSM key store you created earlier.

5

Finish KMS key creation

Proceed with creating the AWS KMS Key.

Connect Infisical to AWS KMS Key

You should now have an AWS KMS that has a custom key store set to AWS CloudHSM. To secure project resources, you will need to add this AWS KMS to your Infisical organization. To learn how, refer to the documentation here.