Q. Can I continue to use the SafeNet-based CloudHSM Service?
Yes. Existing users of CloudHSM can continue to use it as usual. We will continue to support, as usual, all customers currently using the SafeNet-based service. We understand that you may have extensive investment in SafeNet hardware, and are committed to supporting you. Please note that Gemalto has announced end of life for the Luna 5 HSMs upon which CloudHSM Classic is built. We encourage you to upgrade to the new CloudHSM.
Q. What is changing with the existing SafeNet service?
For existing users of CloudHSM Classic, there is no change to the way you access or use your HSMs. The new CloudHSM is under a separate cloudhsmv2 API endpoint, and thus does not interfere in any way with your existing deployments. Any existing automation will continue to work as expected. Documentation will remain available but will move to a new URL. Links will be provided through existing pages, so bookmarks will not break.
Q. Why am I getting a service denied error for CloudHSM?
Following the launch of the new CloudHSM service, CloudHSM Classic is only available to existing CloudHSM Classic users in that region. New customers will be directed to the CloudHSM service. Please ensure you have downloaded, and are using, the latest CloudHSM service packages.
Q. Will SafeNet HSMs continue to receive updates and support?
Yes. For existing customers of CloudHSM Classic, there will be no change in the level of support you receive.
Q. What if I need more SafeNet HSMs?
As an existing user of CloudHSM Classic, we will do our best to provide additional SafeNet HSMs in any region where you are already using CloudHSM Classic, subject to service limits and availability of hardware.
Q. Are SafeNet and the new CloudHSM compatible?
Partially. It is possible to exchange exportable symmetric keys between the HSMs (private keys are not exportable from the SafeNet HSM, regardless of exportable flag). Applications can typically be ported over with ease, unless you are reliant on specific proprietary software. Mixed deployments, however, are not supported: from a given application you will either use the new CloudHSM or CloudHSM Classic, but not both.
Q. Can I upgrade to the new service?
Yes! We designed the new CloudHSM to solve many of the challenges inherent in CloudHSM Classic while remaining as compatible as possible. Since CloudHSM continues to support industry-standard APIs such as PKCS#11, Java JCE, and (coming soon) Microsoft CNG, in many cases you won’t even have to modify your applications in order to upgrade. Please see the migration section in the CloudHSM FAQ to get started. Feel free to contact us via your account team or by opening a support case in the AWS Management Console.
Q. Why would I upgrade to the new service?
Gemalto has announced end of life for the Luna 5 HSMs upon which CloudHSM Classic is built. To ensure your production workload is not stranded on unsupported hardware, we encourage you to upgrade to the new CloudHSM. Available since August 2017, CloudHSM raises the bar in security, scalability, usability, and economy. Features include FIPS 140-2 Level 3 certification, fully managed high availability, a management console, and lower costs. See AWS CloudHSM Documentation for more information.
Q. Is the new service available in my region?
Yes. The new CloudHSM is available in all regions where CloudHSM Classic was available, and continues to grow to new regions. You can check regions in which the CloudHSM here.
Q. Will you be deploying CloudHSM Classic to any new regions?
No, we will not be expanding CloudHSM Classic beyond its current availability.
Q. How do I request a trial for the new service?
There is no trial or free tier for the new service. The new CloudHSM has hourly charges only, making it much less expensive to test drive the service.