-
cloudHSM zeroised doubt about the correct answer
updated 4 months, 2 weeks ago
3 Members
·
3
Posts
-
question from timed set 5: “You have launched the CloudHSM cluster but after just a few hours, a support staff mistakenly attempted to log in as the administrator three times using an invalid password in the Hardware Security Module. This has caused the HSM to be zeroized, which means that the encryption keys on it have been wiped. Unfortunately, you did not have a copy of the keys stored anywhere else.
How can you obtain a new copy of the keys that you have stored on Hardware Security Module?”
correct answer according to system: keys are lost permanently.
However, the referenced link https://aws.amazon.com/premiumsupport/knowledge-center/stop-cloudhsm/ is for cloudHSM classic, not cluster. On cluster, the keys are always sync’ed to at least one other device. In addition, as explained in faq and the other link https://d1.awsstatic.com/whitepapers/Security/security-of-aws-cloudhsm-backups.pdf encrypted backups are taken daily, and can be decrypted by a combination of the AKBK and MKBK both of which, as far as I can tell, should still be available. Therefore I submit the correct answer is “restore a snapshot”.
-
Hello Aryeh,
Good day!
Thank you for your feedback. You’ve raised some important points about CloudHSM clusters and their backup capabilities. However, let me clarify a few things regarding the specific scenario presented in the question.
The scenario explicitly states, “you did not have a copy of the keys stored anywhere else.” This indicates that no backups or synchronization to other devices were available at the time. Lastly, while it’s true that CloudHSM clusters feature daily automated encrypted backups, the short timeframe described (“You have launched the CloudHSM cluster but after just a few hours“) in the scenario suggests that no backup had yet been created, as AWS takes these backups every 24 hours. ( https://aws.amazon.com/cloudhsm/faqs/#:~:text=AWS%20takes%20automatic%20encrypted%20backups,adding%20or%20removing%20an%20HSM). )
Therefore, the correct answer is, “The keys are lost permanently if you do not have a copy.”
I hope this helps.
Regards,
Neil @ tutorials dojo
-
When an AWS CloudHSM is <strong data-start=”93″ data-end=”105″ style=”background-color: transparent; font-family: inherit; font-size: inherit;”>zeroized, it means all keys and sensitive data stored inside the HSM are permanently deleted. This process resets the HSM back to its factory state, ensuring no old data or keys remain. Zeroization usually happens when the HSM is decommissioned, hardware fails, or the customer explicitly requests it. After zeroization, the HSM cannot be used until it is reinitialized and new keys are created. This is a security feature to make sure no one can recover or misuse sensitive cryptographic material. So, zeroizing keeps the environment secure when an HSM is no longer needed or is being replaced. Hope it helps!
-
This reply was modified 4 months, 2 weeks ago by
eriksa.
-
This reply was modified 4 months, 2 weeks ago by
Log in to reply.