1

When using a key stored inside Google Cloud HSM, is it possible to get the following metadata fields about the HSM hardware being used:

  • Device model name
  • Device serial number
  • Firmware Version
  • Hardware Version
  • Valid FIPS certificate for device
  • Number of the certificate issued for device

? When ordering a certificate from a CA, we are asked for these fields for regulatory reasons.

fornwall
  • 2,877
  • 3
  • 25
  • 38
  • 1
    Hi there, you can download the attestation file of the key as described [here](https://cloud.google.com/kms/docs/attest-key). I am not publishing this as answer since not all the values you are looking for are available as described [here](https://www.marvell.com/products/security-solutions/nitrox-hs-adapters/software-key-attestation.html#ParseAttestation) – Armando Cuevas Sep 13 '21 at 21:56

1 Answers1

3

You can see the relevant information Google Cloud HSM makes available about key provenance at https://cloud.google.com/kms/docs/attest-key; you can download an attestation which will assert that the key is limited to an HSM. However, we do not make all the information you are requesting available (and the information specific to a particular HSM does not map well to our on-demand shared infrastructure model).

Can you share the name of the Certificate Authority with these requirements? We'd be happy to approach them about accepting Cloud HSM keys.

Thanks for using Google Cloud and Cloud HSM.

Tim Dierks
  • 2,168
  • 15
  • 28
  • Thanks for your reply! The CA in question is SK ID Solutions AS (https://www.skidsolutions.eu), who requires it for e-Seal certificates under the eIDAS regulation (https://www.skidsolutions.eu/en/services/Digital-stamp). – fornwall Sep 14 '21 at 07:00
  • Tim: I understand this may not be possible, but if you can it would be very valuable for us if you could check if someone knows a CA under the EUTL which provides e-Seal certificates and _does_ support Google Cloud HSM? The CA in question here was adamant that the above fields were needed. – fornwall Sep 16 '21 at 21:32
  • 1
    I've raised this with our product management and we're looking into being able to support eIDAS uses. Please feel free to email us at cloudkms-feedback@google.com. Thank you! – Tim Dierks Sep 16 '21 at 23:19
  • @fornwall were you able (1 year later) to use e-seal in Google HSM? – ydanneg Sep 26 '22 at 08:57
  • 1
    @ydanneg yes! https://www.buypass.com/ accepted Google Cloud HSM – fornwall Oct 20 '22 at 20:46