Recommendations for Cloud HSM solutions with the Community Edition

[g3force]

Hi,

we are currently evaluating different Cloud HSM providers for use with EJBCA CE.

So far, we are aware of the providers of

• AWS, Google and Azure
• Thales Luna HSM
• Securosys CloudsHSM

that are documented in the EJBCA documentation.
I'm missing "nShield as a service" in the docs. Does anyone have experience with this?

Does anybody know if it possible to use the HSM solutions from AWS, Google or Azure with the Community Edition and outside of the respective cloud?

Does anybody know of other Cloud HSM providers that work with EJBCA CE?

Looking forward for any recommendations :)

Best,
Nicolai

[primetomas]

Any PKCS#1 HSM that works with the Java PKCS#11 provider will work with EJBCA Community. That includes Luna, Securosys, nCipher, etc. nShield as a service works just as an nShield (except how you set it up) so it works with PKCS#11. Other cloud HSM providers are Thales DPoD, which is a Luna in the backend. Securosys also have a cloud service offering, and other such as Utimaco as well.

On top of that EJBCA Community supports Azure Key Vault and MHSM using their REST API. AWS KMS and CloudHSM works with Enterprise only (their cloudHSM PKCS#11 support does not work with Java PKCS#11 provider).

For recommendations....it depends on what you are looking for, requirements, previous vendor engagements etc. You have to research all the HSM vendors :-).