The present disclosure relates to cloud computing environments, and more specifically, to managing access to confidential information stored on hardware security modules (HSM's) used in a cloud computing environment.
Hardware security modules (HSM's) are devices used to store confidential information including, for example, encryption keys (e.g., private keys, master keys, etc.). HSM's may be implemented using tamper-resistant hardware (e.g., crypto adapters). In some embodiments, HSM's may be crypto co-processors which are configured to store confidential information in a manner that prevents access to the confidential information. Moreover, such an HSM may be configured to block usage of the confidential information unless proper authentication is provided. For example, a user may not be able to use the keys stored in an HSM if it cannot prove that it has the right to do so. Further, in some embodiments, an HSM may be a hardware adapter or a partition within a self-virtualizing adapter (e.g., a cryptographic domain in a crypto adapter). Further, in some embodiments, an HSM may be a co-processor that is affixed to a computer's motherboard. In addition, a single co-processor may be partitioned, so as to enable it to maintain two or more separate HSM's at one time.
An HSM may provide conventional hardware security functions such as cryptographic functions including key generation, hashing, signing, verification, encryption, and decryption. These operations may be performed in conventional ways. For example, an HSM may employ the Rivest-Shamir-Adleman (RSA) algorithm for encryption/decryption and digital signature operations, and the Secure Hash Algorithm SHA-1 for hash operations.
In the context of cloud computing environments, HSM's may be used to maintain important customer secrets. Specifically, when a user associated with an HSM wants to access encrypted data from a cloud, a secure connection may first be established between the user's device (e.g., a client) and the user's assigned cloud-hosted HSM. Keys contained in the HSM may then be used to decrypt the user's data.