4 min read

Improving Cloud Key Management with the Enclave Security Module

Improving Cloud Key Management with the Enclave Security Module

When organizations make the strategic decision to shift their applications and infrastructure onto the cloud, they face a myriad of challenges. These challenges, which require careful consideration, concern maintaining the confidentiality, authenticity, and integrity of their valuable digital assets. In the fast-evolving landscape of digital transformation, these hurdles need to be recognized, understood, and addressed effectively.

The challenges include:

Compliance with privacy laws: One of the foremost challenges is the compliance with an intricate meshwork of privacy laws, such as the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), the Privacy Act, and many others. This is a complex topic that often leaves many organizations anxious about ensuring absolute compliance. Balancing the exploitation of cloud capabilities while adhering to data protection regulations can often be a tricky task.

Lack of control: Organizations could find their authority over their own data and encryption keys curtailed when these assets are stored in the cloud. This lack of full control can cause disquiet among organizations, as they may feel they are relinquishing too much of their oversight over sensitive and critical data.

Shared infrastructure: The concept of shared infrastructure is a prevalent model among Cloud Service Providers (CSPs). CSPs often employ a shared model, including Hardware Security Modules (HSMs), which unfortunately escalates the risk of data leakage and unauthorized access. In a shared environment, the likelihood of accidental or intentional data exposure increases, creating a threat landscape that organizations need to be aware of.

Insider threats: Insider threats can emanate from rogue employees or contractors who could potentially jeopardize critical data. The human element, which can never be completely eliminated, remains a significant and unpredictable risk in any data security framework.

Addressing all these challenges necessitates a comprehensive and meticulous approach to cloud security. This involves implementing suitable security controls tailored to the organization's needs and the nature of the digital assets involved.

When it comes to protecting your encryption keys – a cornerstone of data security – it is of paramount importance that organizations retain control, ensuring these keys remain uncompromised. The pivotal question that arises then is, "How do we maintain the security of our keys in a cloud environment where the level of trust may be uncertain?" 

Enclave Security Module (ESM) - your own secure partition in the cloud

A solution to the challenges above is found in the form of secure enclave technology, now offered by Cloud Service Providers (CSPs). These enclaves are akin to a private vault within your cloud infrastructure, offering secure and isolated computing environments distinct from other processes running concurrently on the system. This design not only enhances the overall security but also successfully addresses multiple complexities associated with shared cloud infrastructure.

A pioneer in this field, Cryptomathic has leveraged this groundbreaking technology to develop a specialized Enclave Security Module (ESM). The ESM is designed to function seamlessly within the AWS Nitro Enclave environment and serves as a robust alternative to conventional Hardware Security Modules (HSMs).

AWS Nitro Enclaves, a service from Amazon Web Services (AWS), is a form of confidential computing. It employs a suite of technologies and best practices to safeguard highly sensitive data, including personally identifiable information (PII), healthcare, financial, and intellectual property data. This protective layer secures data and workloads within their Amazon EC2 instances, even when processed in environments lacking trustworthiness.


At the heart of the ESM is its commitment to protect what matters most - your cryptographic keys. By offering a unique solution for securely transferring keys from your highly secure key management system to the ESM, it adds an extra layer of security, reducing the risk of unauthorized access or leaks. Additionally, the ESM ensures that you are in full control of your keys for their entire lifecycle, even when used in the cloud.

How it works

The Enclave Security Module (ESM) is configured as a readily accessible cryptographic resource for Cryptomathic's Crypto Service Gateway (CSG) platform, much like how conventional Hardware Security Modules (HSMs) are integrated. The nodes of the CSG are set up within an EC2 instance in the AWS environment, effectively serving as a conduit to the ESM that's encapsulated within the AWS Nitro Enclave.

Depending on your unique compliance needs and security specifications, the key management system entrusted with the custody of your cryptographic keys can be established either on-premise or housed within a cloud environment. This flexibility allows for a customized security setup that aligns with your specific requirements, offering both secure and compliant solutions for key management.


Key management system custody options

Additional control and assurance with the Enclave Security Module (ESM)

The ESM on the Cryptomathic Crypto Service Gateway platform, facilitates the secure key exchange process between the Key Management System (KMS) and the ESMs. The ESM comes equipped with mechanisms to ensure the authenticity and integrity of data, by fostering a trust-based environment within the module itself and leveraging the enclave's attestation features. This, in turn, ensures secure key transmission between the KMS and the ESM, effectively neutralizing risks associated with man-in-the-middle attacks or similar threat vectors.

Moreover, the ESM offers support for a range of cryptographic operations, whether they are general-purpose or custom-designed, making these available to applications residing on the CSG platform. The cryptographic module housed within the ESM adheres to the stringent security requirements of FIPS 140-2 level 1 compliance.

The ESM isn't just about delivering a high level of operational flexibility and seamless availability; it's about handing you complete control of your keys within the cloud. With the ESM, your organization can gain an enhanced level of assurance, confident in the knowledge that your keys are well-protected.

Cryptomathic’s Crypto Service Gateway (CSG)

Cryptomathic's Crypto Service Gateway (CSG) stands as the pillar for a resilient and scalable infrastructure that leverages ESM/HSM cryptographic services. The architecture of CSG is designed such that a server cluster is positioned between the ESMs/HSMs and the applications, taking the responsibility of efficiently distributing load across the appropriate ESMs/HSMs while ensuring the enforcement of cryptographic policy and centralized key management.

The management of application-specific cryptographic parameters is seamlessly executed centrally, utilizing an intuitive and user-friendly policy language. This policy mechanism greatly streamlines the processes of both internal and external compliance audits, thereby bolstering your security team with the agility to swiftly respond to cryptographic challenges.

Combining the strengths of ESM and CSG presents us with a holistic solution that not only achieves our desired level of security but also provides benefits that originally prompted the transition to the cloud. These include the convenience of simplified management, improved performance through speed, and financial efficiency in terms of cost control. Together, ESM and CSG are the catalysts driving secure, efficient, and scalable cloud adoption.

Key customer benefits

Efficiency and scalability: ESM is designed for speed and scalability, capable of meeting the high availability demands of many third-party systems such as AWS XKS, which require a response in less than 250 milliseconds. While only a few HSM-based implementations can deliver this at peak levels, ESM offers this as a core feature.

Compliance assurance: In a world inundated with privacy laws and legal cases, having a system that maps a migration path towards full encryption life-cycle management is essential for demonstrating compliance.

Economical, Secure, and Adaptable Solution: The ESM is not only a cost-effective choice, given that it eliminates the need for traditional hardware units, but it also offers a secure and scalable solution that can be readily expanded to meet future requirements.

Complete control over your keys in the cloud: With ESM, you retain full control of your keys within the cloud, as no master keys or data are shared with CSPs. This means there's no risk of your keys being compromised by insider threats.


As a leader in strong cryptographic technology, Cryptomathic provides businesses with best-in-class security solutions for payments, mobile app protection, crypto-agility, key management and qualified electronic signing.

Contact us to hear more or to discuss your requirements.