If the hacker has root access: What prevents them from talking to the
HSM?
I wasn’t involved in setting it up here, but AFAIK you need to „enroll“ the client to the HSM.
That is a one-time process that requires HSM credentials (via certificates and pass-phrases).
Then, that client can talk to the HSM.
The HSM-client is (or should be) engineered in such a way that you can’t extract the encryption-secret easily.
I am not sure, but IIRC, you should not even be able to clone the VM without the HSM noticing or the clone not working at all to begin with (for lack of enrollment). Though most production databases are too large to just „clone“.
Maybe someone who knows more about this subject can chime in before I make a fool of myself?
;-)
Rainer