All Products
Search

This Product

    Key Management Service:Specifications and performance

    Document Center

    Key Management Service:Specifications and performance

    Last Updated:Dec 19, 2024

    This topic describes one type of Virtual Security Module (VSM) that is supported by Cloud Hardware Security Module, General Virtual Security Modules (GVSMs), including API specifications, encryption algorithms, and performance references.

    GVSMs

    Cloud Hardware Security Module supports Federal Information Processing Standards (FIPS)-certified General Virtual Security Modules (GVSMs). The hardware and firmware of GVSMs are validated by FIPS 140-2 Level 3. GVSMs allow you to manage keys in a secure and reliable manner and ensure reliable data encryption and decryption by using multiple encryption algorithms.

    The following table describes API specifications, encryption algorithms and performance references of GVSMs.

    Feature

    Description

    API specifications

    PKCS#11 is used.

    Encryption algorithms

    • Symmetric encryption algorithms: Data Encryption Standard (DES), Triple DES (3DES), and Advanced Encryption Standard (AES) (128-, 192-, and 256-bit keys are supported.)

    • Asymmetric encryption algorithms: Rivest-Shamir-Adleman (RSA) (key length from 2048 to 4096 in bits) and elliptic curve cryptography (ECC)

    • Digest algorithms: Secure Hash Algorithm 1 (SHA-1), SHA-256, SHA-384, and SHA-512

    Performance references

    • Computing performance of RSA-2048 signing and verification: 1,100 times per second

    • EC P256 point multiplication performance: 315 times per second

    • AES-256 duplex communication encryption speed: 300 MB per second

    • RSA-2048 key generation performance: 0.5 pairs per second

    • Random number generation speed: 20 MB per second

    Cluster

    Cloud Hardware Security Module provides the cluster feature. You can use the feature to associate and manage a group of VSMs that reside in different zones of the same region and are used by the same service in a centralized manner. The feature provides high availability, load balancing, and scale-out capabilities for cryptographic operations. A cluster includes one master VSM instance and multiple non-master VSM instances. In a cluster, VSM instances that reside in the same zone use the same subnet.