Q. What does the end of life for Luna 5 HSMs mean for CloudHSM Classic?
Gemalto has announced end of life for Luna 5 HSMs. Gemalto will end the sale of Luna 5’s on 28-February, 2020. For the safety of your workload and data, it is necessary for you to upgrade to the new CloudHSM. Please note the following milestones:
- 1-July 2019: You will be unable to provision new CloudHSM Classic capacity after this date. Software support will remain unchanged. Replacements for failed hardware after this date will be on a best effort basis.
- 1-April 2020: All running CloudHSM Classic HSMs instances will be terminated on this date.
You have the following options to upgrade or switch the root of trust for any workload that relies on CloudHSM Classic HSMs:
- Next-generation CloudHSM, launched August 2017, provides fully managed, FIPS 140-2 level 3 validated, single tenant HSM instances under your control. Development is supported through industry standard PKCS#11, JCE and OpenSSL SDKs.
- If you use CloudHSM for data encryption, you may consider using AWS Key Management Service (KMS), which is backed by FIPS 140-2 level 2 validated hardware.
- If you use CloudHSM to run a private CA, you may consider using AWS Private CA Service (PCA).
Your options to upgrade are explained in more detail in the CloudHSM migration guide.
Your HSMs are under your control only. Due to the nature of the CloudHSM service, we are unable to perform this upgrade on your behalf. We are committed to supporting you through this transition. Your account manager can help determine which support resources are available to you.
Q. Can I continue to use the SafeNet-based CloudHSM Service?
Until 1-April 2020, existing users of CloudHSM Classic can continue to use their existing HSMs. We will continue to support customers using the SafeNet-based service until this disconnect date. We encourage you to upgrade to the new CloudHSM as soon as possible, but no later than the disconnect date.
Q. What if I need more SafeNet HSMs?
At present, for existing users of CloudHSM Classic, we will do our best to provide additional SafeNet HSMs in any region where you are already using CloudHSM Classic. New units are subject to service limits and availability of hardware. After 1-July 2019, no new Classic HSMs can be provisioned in any region, even for existing customers.
Q. What if I can't finish upgrading by the April 2020 deadline?
Please open a support case indicating your inability to complete the upgrade on time, sharing why you will be unable to remove dependence on Classic HSMs by April 2020. We are committed to working with you to resolve any issues in a timely manner, to ensure your workload and data remains safe.
Q. Are SafeNet and the new CloudHSM compatible?
Partially. It is possible to exchange exportable symmetric keys between the HSMs (private keys are not exportable from the SafeNet HSM, regardless of exportable flag). Applications can typically be ported over with ease, unless you are reliant on specific proprietary software. Mixed deployments, however, are not supported. From a given application you will either use the new CloudHSM or CloudHSM Classic, but not both. You will find detailed guidance on transferring keys and migrating applications in the CloudHSM migration guide.
Q. Can I upgrade to the new service?
Yes! We designed the new CloudHSM to solve many of the challenges inherent in CloudHSM Classic while remaining as compatible as possible. Since CloudHSM continues to support industry-standard APIs such as PKCS#11, Java JCE, and Microsoft CNG, in many cases you won’t even have to modify your applications in order to upgrade. Please see the migration section in the CloudHSM FAQ to get started, or learn about migration in depth using the CloudHSM migration guide. If you have any questions or concerns, contact your account team or open a support case in the AWS Management Console.
Q. Why would I upgrade to the new service?
Gemalto has announced end of life for the Luna 5 HSMs upon which CloudHSM Classic is built. To ensure your production workload is not stranded on unsupported hardware, we encourage you to upgrade to the new CloudHSM. Available since August 2017, CloudHSM raises the bar in security, scalability, usability, and economy. Features include FIPS 140-2 Level 3 certification, fully managed high availability, a management console, and lower costs. See AWS CloudHSM Documentation for more information.
Q. Is the new service available in my region?
Yes. The new CloudHSM is available in all regions where CloudHSM Classic was available, and continues to grow to new regions. You can check regions in which the CloudHSM here.
Q. Will you be deploying CloudHSM Classic to any new regions?
No, we will not be expanding CloudHSM Classic beyond its current availability.
Q. How do I request a trial for the new service?
There is no trial or free tier for the new service. The new CloudHSM has hourly charges only, making it much less expensive to test drive the service.
Q. Why am I getting a service denied error for CloudHSM?
Following the launch of the new CloudHSM service, CloudHSM Classic is only available to existing CloudHSM Classic users in that region. New customers will be directed to the CloudHSM service. Please ensure you have downloaded, and are using, the latest CloudHSM service packages.