How to migrate 3DES keys from a FIPS to a non-FIPS AWS CloudHSM cluster
Security Blog
This article provides guidance on securely migrating Triple Data Encryption Standard (3DES) keys from a FIPS-compliant AWS CloudHSM cluster to a non-FIPS cluster using the new hsm2 instance type.
Specifically, the article covers:
- Background on AWS CloudHSM and the withdrawal of 3DES as a FIPS-approved encryption algorithm
- An overview of the solution to migrate keys using an RSA-AES wrap mechanism without exposing plaintext keys
- Important considerations when migrating keys, such as key ownership, key attributes, and backup retention
- Step-by-step instructions to generate an RSA key pair, export the public key, import it to the source cluster, wrap keys using the public key, move the wrapped keys, and unwrap them in the target cluster using the private key
- Testing approach to verify successful migration of 3DES keys
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
Feb 6
2024
2024
How to migrate asymmetric keys from CloudHSM to AWS KMS
Apr 20
2026
2026
How to clone an AWS CloudHSM cluster across Regions
May 9
2025
2025
How to manage migration of hsm1.medium CloudHSM clusters to hsm2m.medium
Oct 15
2025
2025
Migrate encrypted Amazon EC2 instances across AWS Regions without sharing AWS KMS keys
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.