Create a CloudHSM cluster in a VPC, then initialize it by downloading the cluster CSR, signing it with your self-signed issuing CA certificate, and uploading the signed certificate to activate the first HSM
Install the CloudHSM client and PKCS#11 or JCE provider on the EC2 instance; configure the client to connect to the cluster's ENI endpoints
Create a Crypto User (CU) in the HSM using CloudHSM Management Utility (CMU) or cloudhsm-cli; applications authenticate as a CU, not as the Crypto Officer (CO)
Generate keys inside the HSM using the PKCS#11 library or the JCE provider; specify key attributes (label, CKA_ID) for later retrieval
Perform encrypt, decrypt, sign, or verify operations through the provider; the private key material never leaves the HSM boundary
For high availability, add at least two HSMs in different Availability Zones; the CloudHSM client load-balances across cluster members automatically
Known gotchas
CloudHSM clusters require activation with a customer-managed CA certificate; losing the issuing CA private key does not affect existing HSMs but prevents re-initialization of replacement HSMs
HSM user credentials (CO and CU passwords) are managed inside the HSM, not via IAM; if CO credentials are lost, AWS support cannot recover them
Cluster deletion is permanent and destroys all key material; ensure keys are backed up (HSM backup to S3 is available) before deleting a cluster
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp