AWS KMS Support for eIDAS SignServer

Implementation of AWS KMS CryptoToken brings support for AWS Key Management Service to manage cryptographic keys within the SignServer.

This has benefits for all public key infrastructures and signing solutions implementing or integrating the eIDAS SignServer, especially if your environment is cloud-based, container-based, or hybrid.

AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys.

eIDAS SignServer supports 2 implementation of the AWS KMS CryptoToken. Both of them has the same functionality but they do differ in ways of how you access AWS KMS and start using the keys.

v1 AWS KMS CryptoToken

v1 implementation of the AWS KMS CryptoToken is intended to be used when you need to create and manage AWS KMS cryptographic keys within the SignServer cluster consistently and from one place.

For v1 implementation, you will need to create a IAM user and register credentials like Access Key Id and Secret Access Key to SignServer. Then you can access the same CryptoToken and keys from your high available cluster without additional effort.

For more information use v1 AWS KMS CryptoToken.

v2 AWS KMS CryptoToken

When you need more flexibility in terms of authentication and authorization to AWS KMS and you don’t need the management of the credentials by the SignServer, you can use the implementation of v2 AWM KMS CryptoToken.

This implementation follows AWS default credential provider chain and is therefore useful in cloud-based and container-based environment. As well as when you cannot use standard credentials for some reason.

For more information use v2 AWS KMS CryptoToken.

3Key eIDAS package for SignServer

You can find more information about the eIDAS package on official documentation.

Do not forget to look at additional parts of the solution for SignServer, which complements the eIDAS package:

  • Dashboarding, monitoring, and reporting
  • MS Windows KSP connector to sign document/data natively in Windows
  • Marketplace for easy management of modules

Need help?

Do not hesitate to get in touch with us!

Get in touch with us!

security | data intelligence | consulting

Contact us!