Cloud Hardware Security Module (HSM) is a cloud-based hardware encryption solution that uses multiple encryption algorithms to reliably encrypt and decrypt your data. This service protects your data and helps you meet regulatory compliance requirements for data security.
Preliminary concepts
Before you read this topic, you should understand the following concepts:
Overview
Cloud Hardware Security Module (HSM) is built on hardware security modules that are certified by the State Cryptography Administration or validated against FIPS 140-2 Level 3. It leverages virtualization technology to help you meet regulatory compliance requirements for data security and protect the privacy of your business data on the cloud. With Cloud HSM, you can securely and reliably manage keys and use various encryption algorithms to perform secure and reliable data encryption and decryption. Cloud HSM can help you execute the following cryptographic computations:
Generate, store, import, export, and manage encryption keys, such as symmetric keys and asymmetric key pairs.
Use symmetric and asymmetric algorithms to encrypt and decrypt data.
Use hash functions to compute message digests and hash-based message authentication codes (HMACs).
Digitally sign data and verify signatures.
Generate cryptographically secure random data.
HSM provides technical consulting services for device initialization, cluster configuration, monitoring, and SDK integration. The service also provides commercial cryptography product certification certificates for HSM devices. However, the service does not include detailed documentation from third-party commercial cryptography application security assessment agencies. For more information, contact the Alibaba Cloud public cloud commercial cryptography assessment service.
HSM devices
An HSM is a virtualized resource created from the hardware cryptographic module of an HSM device. It has the same compliance status as a physical HSM device and supports full data encryption and decryption. HSM offers virtual security modules (VSMs) and dedicated HSMs. For detailed specifications, see Performance data of virtual cryptographic machines.
Virtual Cryptographic Machine
VSMs run in multi-tenant environments where hardware resources are shared among multiple users. They comply with the PRC Cryptography Law and are validated to FIPS 140-2 Level 3. VSMs are suitable for small and medium-sized enterprises or applications with moderate performance requirements. Supported VSM types include the following:
VSMs in the Chinese mainland: Financial Data VSM (EVSM), General-purpose Data VSM (GVSM), and Signature Verification Server (SVSM).
VSMs outside the Chinese mainland: General FIPS-compliant VSMs.
Dedicated HSMs
Dedicated HSMs allocate hardware resources exclusively to a single user. This ensures high throughput and low latency. They provide the highest level of physical security with a tamper-resistant design and comply with FIPS 140-2 and FIPS 140-3 standards. Dedicated HSMs are suitable for large enterprises, financial institutions, or scenarios that require the highest levels of security and performance. They are certified by authoritative bodies such as the State Cryptography Administration, NIST (FIPS 140-2 Level 3), and PCI HSM v3.
Scenarios
Migrate HSM applications from on-premises data centers to cloud servers
When migrating your on-premises data center HSM application to Elastic Compute Service, you can replace your on-premises data center HSM with Cloud Hardware Security Module (HSM) to perform encryption, decryption, signing, and signature verification, and other operations, protecting your cloud data.
Finance and payment
For example, you can use EVSM for PIN encryption and PIN translation in securities trading and banking payment settlement to protect financial data. You can use SVSM for digital signing, signature verification, certificate parsing, and certificate chain validation on online payment clearing platforms to ensure authenticity, integrity, and non-repudiation.
Provide compliant encryption and decryption for applications
For example, you can use HSM to encrypt and decrypt sensitive data in application systems for Alibaba Cloud Dedicated KMS, database data for database encryption applications, and data in file storage for file encryption applications.
Support SSL offloading for HTTPS websites
GVSM and EVSM in the Chinese mainland provide SSL offloading, which reduces server load and improves client response times. Additionally, HSM generates certificate private keys, which enhances private key protection to prevent private keys from being leaked from servers and improves security.
Protect certificate private keys
For digital certificates issued by certification authorities (CAs), you can store the certificate private keys in HSMs and use the HSMs to perform signing operations. This protects the security of your certificate private keys.
Oracle Transparent Data Encryption (TDE) integration
HSM integrates with Oracle databases to provide Transparent Data Encryption (TDE). TDE stores encryption keys in an HSM outside the database and uses those keys to encrypt sensitive data in data files. This ensures the security of sensitive data.
Encrypt sensitive data
In industries such as public services, e-commerce, and finance, you can integrate HSM with applications to encrypt or store sensitive user data. This helps you meet security and compliance requirements.
Benefits
Regulatory compliance
VSMs in the Chinese mainland: Have passed the certification of the State Cryptography Administration and comply with cryptographic industry technical specifications. These specifications include GM/T 0028-2014 Security Requirements for Cryptographic Modules, GM/T 0030-2014 Specification for Server Cryptographic Machine, GM/T 0045-2016 Specification for Financial Data Cryptographic Machine, and GM/T 0029-2014 Specification for Signature Generation and Verification Server.
VSMs outside the Chinese mainland: Validated to FIPS 140-2 Level 3.
Rich industry-standard interfaces and encryption algorithms
HSM supports a wide range of industry-standard interfaces and encryption algorithms. For more information about supported interfaces and algorithms, see Performance data of virtual cryptographic machines.
For example, EVSM extends support for the domestic SM1, SM2, SM3, and SM4 cryptographic algorithms in finance while maintaining compatibility with existing financial security requirements. It complies with PBOC 2.0, PBOC 3.0, GP, and industry standards from the Ministry of Housing and Urban-Rural Development and the Ministry of Transport.
Secure key management
Device management and key management permissions are separated. Alibaba Cloud manages only the HSM hardware devices, which includes monitoring device availability and enabling services. You have full control over your keys. Alibaba Cloud cannot access your keys.
Elastic scalability
You can adjust the number of purchased HSMs based on your needs. You can use Server Load Balancer to meet varying encryption and decryption requirements.
Cluster high availability
HSM supports cluster management, which lets you add multiple HSMs to a cluster to improve high availability and reduce the risk of service interruption and core data loss.
Easy to use in the cloud
You can deploy HSM in your specified Virtual Private Cloud (VPC). You can then manage and call it securely using a private IP address. This enables seamless integration with your cloud-based applications.
Supported regions and zones
The Chinese mainland
Region
Region ID
Zone
China (Hangzhou)
cn-hangzhou
Zone A, Zone G
China (Shanghai)
cn-shanghai
Zone A, Zone B, Zone F
China (Beijing)
cn-beijing
Zone A, Zone F, Zone K
China (Shenzhen)
cn-shenzhen
Zone A, Zone E
China (Chengdu)
cn-chengdu
Zone A, Zone B
China (Heyuan)
cn-heyuan
Zone A, Zone B
Outside the Chinese mainland
Region
Region ID
Zone
China (Hong Kong)
cn-hongkong
Zone B, Zone C
Singapore
ap-southeast-1
Zone A, Zone B
Malaysia (Kuala Lumpur)
ap-southeast-3
Zone A, Zone B
Indonesia (Jakarta)
ap-southeast-5
Zone A, Zone B
Glossary
HSM instance
An HSM instance is a virtualized resource created from the hardware cryptographic module of an HSM device. It meets the same compliance requirements as a physical HSM device and supports all HSM features, such as data encryption and decryption.
Authentication card (USB Key)
This unique identifier for the Cloud Hardware Security Module (HSM) is used with the HSM client management tool to manage keys. It is available only for HSMs in the Chinese mainland.
Cluster Service
HSM provides cluster services. These services allow you to group multiple HSM instances across different zones in the same region that serve the same application. This enables centralized management and provides high availability, load balancing, and horizontal scalability for cryptographic operations. Each cluster includes one master HSM instance and multiple non-master HSM instances. All HSM instances in a zone share the same subnet.