Key Management Service:What is Cloud Hardware Security Module?

Overview

Cloud Hardware Security Module uses hardware security modules (HSMs) that are validated by Federal Information Processing Standards (FIPS) 140-2 Level 3 issued by the National Institute of Standards and Technology (NIST). Cloud Hardware Security Module also uses virtualization technologies to help you meet regulatory compliance requirements in data security and ensure the confidentiality of data in the cloud. Cloud Hardware Security Module allows you to manage keys in a secure and reliable manner and ensures reliable data encryption and decryption by using various encryption algorithms.

Cloud Hardware Security Module allows you to perform the following cryptographic operations:

• Generate, store, import, export, and manage encryption keys, including symmetric keys and asymmetric keys.

• Use symmetric and asymmetric algorithms to encrypt and decrypt data.

• Use hash functions to compute message digests and hash-based message authentication codes (HMACs).

• Sign data and verify signatures.

• Generate secure random data.

HSM

Cloud Hardware Security Module delivers capabilities based on HSMs. The service and HSMs comply with the same standards and offer data encryption and decryption capabilities. Cloud Hardware Security Module provides virtual security modules (VSMs) and dedicated HSMs. For more information about HSM specifications, see HSM types.

VSM

VSMs are deployed in a multi-tenant environment and shared by multiple users. VSMs comply with the Cryptography Law of the People's Republic of China and FIPS 140-2 Level 3. VSMs are suitable for small- and medium-sized enterprises or scenarios that require modest performance. Supported VSMs include electronic virtual security modules (EVSMs), general virtual security modules (GVSMs), signature virtual security modules (SVSMs), and FIPS-approved GVSMs.

Dedicated HSM

A dedicated HSM is exclusive to a single user. Dedicated HSMs ensure high throughput and low latency. Dedicated HSMs provide the highest level of physical security, have a tamper-resistant design, and comply with FIPS 140-2 Level 3. Dedicated HSMs are suitable for large enterprises, financial institutions, or scenarios that require extremely high security and performance. Dedicated HSMs comply with the Cryptography Law of the People's Republic of China, NIST FIPS 140-2 Level 3, and Payment Card Industry (PCI) HSM v3.

Scenarios

Benefits

• Secure key storage

  HSMs are used to protect keys. The hardware and firmware of HSMs are validated by FIPS 140-2 Level 3.

• Secure key management

  HSMs and keys are separately managed. Alibaba Cloud can manage only HSMs. For example, Alibaba Cloud monitors device availability metrics. Keys can be managed only by users. Alibaba Cloud cannot obtain keys.

• Scalability

  When you use Cloud Hardware Security Module, you can purchase HSMs based on your business requirements and use load balancing to meet different encryption and decryption requirements.

• Cluster-based high availability

  Cloud Hardware Security Module supports cluster management. You can add multiple HSMs to a cluster to achieve the high availability of HSMs and reduce the risks of service interruptions and core data loss.

• Ease of use on the cloud

  Cloud Hardware Security Module allows you to deploy HSMs in a virtual private cloud (VPC), and manage and call HSMs by using private IP addresses. Cloud Hardware Security Module also allows you to manage services on Elastic Compute Service (ECS) instances in an efficient manner.

Supported regions and zones

Limits

Terms

HSM

An HSM is the virtualized resource of an HSM device. An HSM must meet the same compliance requirements as an HSM device. You can use an HSM to implement all features of Cloud Hardware Security Module. You can also use an HSM to encrypt and decrypt data.