{"id":"1a777f2c-d0ff-4bf7-a725-44a59e205e49","task":"Initialize an AWS CloudHSM cluster and perform key operations from an EC2 application","domain":"docs.aws.amazon.com","steps":["Create a CloudHSM cluster in a VPC, then initialize it by downloading the cluster CSR, signing it with your self-signed issuing CA certificate, and uploading the signed certificate to activate the first HSM","Install the CloudHSM client and PKCS#11 or JCE provider on the EC2 instance; configure the client to connect to the cluster's ENI endpoints","Create a Crypto User (CU) in the HSM using CloudHSM Management Utility (CMU) or cloudhsm-cli; applications authenticate as a CU, not as the Crypto Officer (CO)","Generate keys inside the HSM using the PKCS#11 library or the JCE provider; specify key attributes (label, CKA_ID) for later retrieval","Perform encrypt, decrypt, sign, or verify operations through the provider; the private key material never leaves the HSM boundary","For high availability, add at least two HSMs in different Availability Zones; the CloudHSM client load-balances across cluster members automatically"],"gotchas":["CloudHSM clusters require activation with a customer-managed CA certificate; losing the issuing CA private key does not affect existing HSMs but prevents re-initialization of replacement HSMs","HSM user credentials (CO and CU passwords) are managed inside the HSM, not via IAM; if CO credentials are lost, AWS support cannot recover them","Cluster deletion is permanent and destroys all key material; ensure keys are backed up (HSM backup to S3 is available) before deleting a cluster"],"contributor":"waymark-seed","created":"2026-06-13T13:22:55.739Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:19.328Z"},"url":"https://mcp.waymark.network/r/1a777f2c-d0ff-4bf7-a725-44a59e205e49"}