All Products
Search
Document Center

Key Management Service:What is Cloud Hardware Security Module?

Last Updated:Aug 01, 2024

Cloud Hardware Security Module is a hardware encryption solution that is deployed on the cloud. Cloud Hardware Security Module provides multiple encryption algorithms that you can use to encrypt and decrypt service data in the cloud in a reliable manner. This helps ensure the security of your data and meet the regulatory compliance requirements in data security.

Overview

Cloud Hardware Security Module uses hardware security modules (HSMs) that are validated by Federal Information Processing Standards (FIPS) 140-2 Level 3 issued by the National Institute of Standards and Technology (NIST). Cloud Hardware Security Module also uses virtualization technologies to help you meet regulatory compliance requirements in data security and ensure the confidentiality of data in the cloud. Cloud Hardware Security Module allows you to manage keys in a secure and reliable manner and ensures reliable data encryption and decryption by using various encryption algorithms.

Cloud Hardware Security Module allows you to perform the following cryptographic operations:

  • Generate, store, import, export, and manage encryption keys, including symmetric keys and asymmetric keys.

  • Use symmetric and asymmetric algorithms to encrypt and decrypt data.

  • Use hash functions to compute message digests and hash-based message authentication codes (HMACs).

  • Sign data and verify signatures.

  • Generate secure random data.

HSM

Cloud Hardware Security Module delivers capabilities based on HSMs. The service and HSMs comply with the same standards and offer data encryption and decryption capabilities. Cloud Hardware Security Module provides virtual security modules (VSMs) and dedicated HSMs. For more information about HSM specifications, see HSM types.

VSM

VSMs are deployed in a multi-tenant environment and shared by multiple users. VSMs comply with the Cryptography Law of the People's Republic of China and FIPS 140-2 Level 3. VSMs are suitable for small- and medium-sized enterprises or scenarios that require modest performance. Supported VSMs include electronic virtual security modules (EVSMs), general virtual security modules (GVSMs), signature virtual security modules (SVSMs), and FIPS-approved GVSMs.

Dedicated HSM

A dedicated HSM is exclusive to a single user. Dedicated HSMs ensure high throughput and low latency. Dedicated HSMs provide the highest level of physical security, have a tamper-resistant design, and comply with FIPS 140-2 Level 3. Dedicated HSMs are suitable for large enterprises, financial institutions, or scenarios that require extremely high security and performance. Dedicated HSMs comply with the Cryptography Law of the People's Republic of China, NIST FIPS 140-2 Level 3, and Payment Card Industry (PCI) HSM v3.

Scenarios

Benefits

  • Secure key storage

    HSMs are used to protect keys. The hardware and firmware of HSMs are validated by FIPS 140-2 Level 3.

  • Secure key management

    HSMs and keys are separately managed. Alibaba Cloud can manage only HSMs. For example, Alibaba Cloud monitors device availability metrics. Keys can be managed only by users. Alibaba Cloud cannot obtain keys.

  • Scalability

    When you use Cloud Hardware Security Module, you can purchase HSMs based on your business requirements and use load balancing to meet different encryption and decryption requirements.

  • Cluster-based high availability

    Cloud Hardware Security Module supports cluster management. You can add multiple HSMs to a cluster to achieve the high availability of HSMs and reduce the risks of service interruptions and core data loss.

  • Ease of use on the cloud

    Cloud Hardware Security Module allows you to deploy HSMs in a virtual private cloud (VPC), and manage and call HSMs by using private IP addresses. Cloud Hardware Security Module also allows you to manage services on Elastic Compute Service (ECS) instances in an efficient manner.

Supported regions and zones

Region name

Region ID

Zone

China (Hong Kong)

cn-hongkong

Hong Kong Zone B and Hong Kong Zone C

Singapore

ap-southeast-1

Singapore Zone A and Singapore Zone B

SAU (Riyadh - Partner Region)

me-central-1

Riyadh - Partner Region Zone A and Riyadh - Partner Region Zone B

Malaysia (Kuala Lumpur)

ap-southeast-3

Kuala Lumpur Zone A and Kuala Lumpur Zone B

Limits

The following table describes the limits of Cloud Hardware Security Module. The limits cannot be adjusted.

Item

Limit

The number of keys that an HSM can manage

3,300

The number of users that are supported by an HSM

1,024

The length of a username

31

The length of a password

7~32

Terms

HSM

An HSM is the virtualized resource of an HSM device. An HSM must meet the same compliance requirements as an HSM device. You can use an HSM to implement all features of Cloud Hardware Security Module. You can also use an HSM to encrypt and decrypt data.