Q. Can I continue to use the SafeNet-based CloudHSM Service?
Yes. Existing users of CloudHSM can continue to use it as usual. We will continue to support, as usual, all customers currently using the SafeNet-based service. We understand that you may have extensive investment in SafeNet hardware, and are committed to supporting you.
Q. What is changing with the existing SafeNet service?
For existing users of CloudHSM Classic, there is no change to the way you access or use CloudHSM. The new service is under a separate cloudhsmv2 API endpoint, and thus does not interfere in any way with your existing deployments. Any existing automation will continue to work as expected. Documentation will remain available but will move to a new URL. Links will be provided through existing pages, so bookmarks will not break.
Q. Why am I getting a service denied error for CloudHSM?
Following the launch of the new CloudHSM service, CloudHSM Classic is only available to existing CloudHSM Classic users in that region. New customers will be directed to the new CloudHSM service. Please ensure you have downloaded, and are using, the latest CloudHSM service packages.
Q. Will SafeNet HSMs continue to receive updates and support?
Yes. For existing customers of CloudHSM Classic, there will be no change in the level of support you receive.
Q. What if I need more SafeNet HSMs?
As an existing user of CloudHSM Classic, you can continue to provision new SafeNet HSMs in any region where you are already using CloudHSM Classic, subject to service limits.
Q. Are SafeNet and the new CloudHSM compatible?
Partially. It is possible to exchange exportable symmetric keys between the HSMs (private keys are not exportable from the SafeNet HSM, regardless of exportable flag). Applications can typically be ported over with ease, unless you are reliant on specific proprietary software. Mixed deployments, however, are not supported: from a given application you will either use the new CloudHSM or CloudHSM Classic, but not both.
Q. Can I migrate to the new service?
Yes! We designed the new CloudHSM to solve many of the challenges inherent in the CloudHSM Classic solution while remaining as compatible as possible. Since CloudHSM continues to support industry-standard APIs such as PKCS#11, Java JCE, and (coming soon) Microsoft CNG, in many cases you won’t even have to modify your applications in order to migrate. Please see the migration section in the CloudHSM FAQ to get started. Feel free to contact us via your account team or by opening a support case in the AWS Management Console.
Q. Why would I migrate to the new service?
The new service raises the bar in security, scalability, usability, and economy. New features include FIPS 140-2 Level 3 certification, fully managed high availability, a management console, and lower costs. See AWS CloudHSM Documentation for more information.
Q. Is the new service available in my region?
Yes. The new CloudHSM is available in all regions where CloudHSM Classic was available, and continues to grow to new regions. You can check whether the new CloudHSM is available in a region using the table here.
Q. Will you be deploying CloudHSM Classic to any new regions?
No, we will not be expanding CloudHSM Classic beyond its current availability.
Q. How do I request a trial for the new service?
There is no trial or free tier for the new service. The new CloudHSM has hourly charges only, making it much less expensive to test drive the service.