How to Use AWS KMS Custom Key Store to Encrypt Your Data?


If you’ve been following news about cloud security, then you know that data encryption is among the most popular ways to secure your sensitive data. You might also have heard about the AWS KMS custom key. Ideally, the KMS custom key allows AWS CloudHSM users to use AWS Key Management Service (KMS)

In this post, you will learn more about the KMS custom key and how you can use it to encrypt your data. But before that,

AWS CloudHSM vs. KMS: What’s the Difference?

How does AWS CloudHSM vs KMS compare? This is an essential matter that must be answered before using the AWS cloud system. Ideally, Cloud HSM refers to appliances hosted in physical data centers, which are surveillance proof against PCI DSS AND SOC framework.

On the other hand, Cloud KMS is aimed at allowing users to create and control their encryption keys. It also uses HSM’S security modules to protect the user’s keys.

What is a Custom Key Store?

In simple terms, a key store refers to a safe location for storing encryption keys. AWS KMS supports the custom key store to create and control the cryptographic keys. Hardware security modules protect the customer keys, which are FIPS 140-2 supported cryptographic modules. You can also create an HSM backed custom key store if you’re looking to have more control of the HSMs.

The custom key store allows you to create your own CloudHSM cluster, which can be used by KMS to store your keys instead of storing them at the default key store. After you’ve created the KMS keys, you can go ahead and create the key material in the CloudHSM cluster.

This way, you can control your CloudHSM cluster, which allows you to manage your keys without interference from KMS. Among other things, you can confirm that KMS created keys correctly, restore your keys from backup whenever you want, and delete any key material.

It also allows you to separate your keys from KMS by connecting or disconnecting the CloudHSM cluster from HSM which puts you in charge of your data security.

Why You Need a Custom Key Store?

If the default AWS KMS key store gives you sufficient security, then you do not need any added protection. After all, an extra layer of protection comes with added responsibilities as well.

Even so, you may want to have a custom key store if you have these requirements:

    • You need to back up your key material in different AWS regions
    • You cannot store your key material in a shared environment
    • There’s need to certify key material at FIPS 14-2 level 3
    • Key material need to to go through an independent audit path

Factors to Consider When Before You Use a Custom Key Store

While the above factors necessitate your need for a custom key store, here are some factors you may want to consider before going that direction:


As with anything that adds more value to your life, you can expect to pay more for a custom key store. Specifically, you will need at least two HSMs for each custom key store. Ideally, you can expect to pay at least $1,000 based on your region. The same will apply whether you request through an AWS service or directly.


The availability of your cluster and, ultimately, your keys will depend on the use of availability zones and the number of HSMs. Therefore, you need to assess and understand the risk of configuration errors that could make your custom key store disconnected and lose key material.


The performance of your keys will depend on the number of HSMs. For better performance, ensure you have sufficient HSM resources.


A custom key store allows you to perform some of the KMS tasks. Apart from setting up HSM clusters, you will also need to configure HSM users and restore back up from HSMs. Since these are sensitive tasks, you will need to have the necessary resources to perform them.

Can You Use CloudHSM to Share Your Keys Safely?

Depending on where you store your data and your compliance requirements, you may want to control how your encryption keys are stored and managed. The best thing is that the CloudHSM cluster can allow you to protect your keys while allowing third-party providers such as SaaS to access your HSM cluster.

You can also use the CloudHSM cluster to share your keys with another organization provided it has an AWS account.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.