Purchase and enable an HSM - Key Management Service - Alibaba Cloud Documentation Center

This topic describes how to purchase and enable a hardware security module (HSM).

Prerequisites

To access an HSM from an Elastic Compute Service (ECS) instance, the ECS instance must reside in the virtual private cloud (VPC) of the HSM. Before you purchase an HSM, make sure that the following requirements are met:

A VPC is created, and vSwitches are created in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.

An ECS instance is created. For more information, see Create an instance on the Custom Launch tab.
Note
- If you use HSMs such as electronic virtual security modules (EVSMs), general virtual security modules (GVSMs), and signature virtual security modules (SVSMs) in the Chinese mainland, the ECS instance must run Windows.
- If you use HSMs such as GVSMs that are validated by Federal Information Processing Standards (FIPS) of National Institute of Standards and Technology (NIST) outside the Chinese mainland, the ECS instance must run Linux.

Purchase an HSM

Log on to the Cloud Hardware Security Module console. In the top navigation bar, select the required region.
On the Instances page, click Create HSM.

On the Cloud Hardware Security Module buy page, configure the parameters and click Buy Now to complete the payment. The following table describes the parameters.

Parameter	Description
Region	The region of the HSM. For more information, see What is Cloud Hardware Security Module?. Note An HSM can be accessed only from a VPC. The HSM, the VPC, and the ECS instance must reside in the same region.
Device Model	The type of the HSM. For more information, see HSM types.
Deployment Mode	Dual-zone: A minimum of two HSMs are deployed in different zones to implement cross-zone disaster recovery. This facilitates cluster creation. Cloud Hardware Security Module specifies the zones. You do not need to specify the zones. Single-zone: The HSM is deployed in one zone. We recommend that you deploy HSMs in different zones to ensure business continuity in case an accident occurs in a data center in a zone. Note Network connections can be established across zones only if the zones belong to the same region. The HSM and the ECS instance can reside in different zones.
Data Backup and Restoration	Specifies whether to enable data backup and restoration to ensure data security and persistence. If the HSM is released, backup images of the HSM are retained for 90 days. After the retention period elapses, the backup images are automatically deleted. The cross-region image replication feature is provided to enhance disaster recovery capabilities.
Image Quota	The number of images in backups. An image is automatically created for an HSM at 00:00 (UTC+8) every day. When the number of images reaches the upper limit, the system automatically deletes the earliest image.
Quantity	The number of HSMs that you want to purchase. To ensure high availability of Cloud Hardware Security Module, we recommend that you purchase at least two HSMs. If you select Dual-zone, two HSMs are automatically purchased.
Duration	The subscription duration of the HSM. We recommend that you select Auto-renewal to prevent permanent loss of keys. If you do not renew your HSM before the subscription duration elapses, your keys may be permanently lost. If you select Auto-renewal, Alibaba Cloud automatically deducts fees from the Alibaba Cloud account that is used to purchase the HSM nine calendar days before the HSM expires. Make sure that the account balance is sufficient.

After you purchase the HSM, you can view the HSM on the Instances page. The Status of the HSM is New.

Enable an HSM

Usage notes

Create an HSM cluster: You must enable the master HSM. You do not need to enable a non-master HSM.
Create an HSM from an image: You do not need to enable the HSM.

Procedure

On the Instances page, find the HSM that you want to enable and click Enable in the Actions column.

In the Configure HSM Instance dialog box, configure parameters and click OK.

Parameter	Description
VPC ID	The VPC that you want to bind to the HSM. Important The VPC must be the same as the VPC of the ECS instance.
VPC Subnet	The subnet that you want to assign to the HSM in the VPC.
Private IP Address	The private IP address that you want to assign to the HSM. Important The private IP address must belong to the subnet that is assigned to the HSM. Otherwise, the configuration fails. The system reserves IP addresses whose last octet is 253, 254, or 255. Do not use the reserved IP addresses.
Configure HSM Whitelist	The range of the IP addresses that are allowed to access the HSM. IP addresses and CIDR blocks are supported. You can specify one IP address or one CIDR block in each row. You can specify up to 10 rows. If you do not configure a whitelist, all IP addresses are allowed to access the HSM. If you configure a whitelist, only the IP addresses in the whitelist are allowed to access the HSM. Important If you create a cluster, add an HSM to the cluster, and configure a whitelist for the cluster, the whitelist of the cluster takes precedence over the whitelist of the HSM. For example, if you add 10.10.10.10 to the whitelist of an HSM and add 172.16.0.1 to the whitelist of the cluster that contains the HSM, you can access the HSM only from 172.16.0.1. You cannot enter 0.0.0.0/0. If you enter 0.0.0.0/0, requests from all IP addresses are allowed. For security reasons, we recommend that you do not allow requests from all IP addresses. If you want to allow requests from all IP addresses, do not configure the whitelist.

If the configuration is successful, the value of Status of the HSM changes to Enabled.

References

For more information about how to purchase and configure an HSM for a KMS instance of the hardware key management type, see Configure an HSM cluster for a KMS instance of the hardware key management type.