You can use the data backup and restoration feature to restore an HSM to a previous data state or replicate its data to another HSM in the same or a different region. This is useful for data recovery or deploying services across multiple regions.
Features
Each backup operation performs a full backup of the HSM data and generates an image. If you use an existing image to perform a new backup, the data in that image is overwritten. Cloud Hardware Security Module lets you back up an entire cluster or a single HSM instance.
Backup content
Backup data | Description |
User information | User accounts, passwords, and identity types. |
Certificate information | Cluster certificates and self-signed certificates. |
keys | Keys and their attributes, such as key identifiers, key types, key usage, key status, owner information, Key Check Value (KCV) identifiers, elliptic curve types (for ECC keys only), and CRT parameters (for RSA keys only). |
A hardware-protected key from KMS is a type of key that relies on an HSM. It contains both key material (the HSM-managed key) and key metadata. The HSM can back up the key material, but not the key metadata.
Key material consists of the core cryptographic parameters generated and managed by KMS within the physically isolated HSM environment.
Key metadata includes business-related information stored in KMS, such as the key ID, the associated KMS instance, ARN, and key policy.
Backup types and comparison
Cloud Hardware Security Module provides three backup types: Auto-created, Default, and Paid.
(Recommended) Auto-created: This backup is enabled when you purchase an HSM or by upgrading an existing instance. The backup is bound to the HSM instance and runs automatically at 00:00 (UTC+8) every day.
Default: One free backup is provided per region, which you must bind to an HSM to use. This backup has a quota of only one image, and each new backup overwrites the existing image.
Paid: A standalone backup that you purchase separately. Each backup must be bound to an HSM. You can have up to 100 images per paid backup.
Item
Auto-created
Default
Paid
Number of images
You can select 1 to 100 images when you purchase.
Each image can be used to back up HSM data once. Images cannot be reset or deleted. If the image quota is reached, the oldest image is overwritten.
This allows for one backup.
To perform a new backup, you must reset the image.
You can select 1 to 100 images when you purchase.
Each image can be used to back up HSM data once. You can reset images to perform new backups.
NoteWhen you reset a backup, all images within it are reset. You cannot reset a single image.
Backup expiration
The backup and all its image data are automatically deleted 90 days after the HSM instance is released. You cannot manually delete the backup.
Before it is deleted, you can still perform cross-region copy and instance restore operations.
Never expires.
This depends on the subscription period. No operations can be performed after the backup expires.
The backup and all its image data are released 180 days after expiration. You can reactivate the backup before it is released. The reactivation fee is the same as purchasing a new backup of the same specification.
Backup method
Full backup. Only automatic backups are supported.
If you enable the data backup and restoration feature on Day T, the first backup starts at 00:00 (UTC+8) on Day T+1. Subsequent backups run daily at 00:00 (UTC+8).
Each backup creates one image. If the image quota is reached, the newly created image overwrites the oldest one.
Full backup. Both manual and automatic backups are supported.
For automatic backups, you can set the backup interval to 1, 3, 7, or 30 days, and select a specific hour for the backup to start.
Full backup. Both manual and automatic backups are supported.
For automatic backups, you can set the backup interval to 1, 3, 7, or 30 days, and select a specific hour for the backup to start.
Fees
Charged based on the number of images selected. Each image costs CNY 50.
Free of charge.
Charged based on the number of images selected. Each image costs CNY 50.
Backups cannot be downloaded
Backups and their images cannot be downloaded or inspected. This design reduces the risk of unauthorized data copying or leakage.
Operation audit
All backup and restoration operations are recorded and can be queried in ActionTrail.
Backup and restoration workflows
Use case 1: Restore all HSMs in a cluster
To restore the data of an HSM cluster, you must first remove all HSMs from the cluster, then recreate the HSMs from an image and redeploy the cluster. This process deletes all data in the cluster. The following workflow is for reference only. We recommend contacting technical support before you perform this operation.
Use case 2: Replicate data to a cross-region cluster
The following workflow outlines the process. Because HSMs require a dual-availability zone deployment, you must purchase at least two HSMs in Region B. After purchase, do not enable or initialize the HSMs.
Procedure
Back up HSM data
Before you back up data, ensure the status of the HSM instance is Enabled.
Auto-created
You can enable data backup and restoration when you purchase an HSM instance. In this case, because HSMs require a cluster deployment, you must purchase at least two HSMs across two availability zones. This method enables data backup and restoration for all purchased HSMs. Alternatively, you can enable the feature for a single HSM later if you did not enable it at the time of purchase.
Method 1: Enable data backup and restoration when purchasing an HSM instance.
For more information, see Purchase an HSM instance. After the purchase is successful, backups are created automatically on schedule. You can view the backups on the Data Backup and Restoration page.
Method 2: Enable the data backup and restoration feature for an existing HSM instance.
Go to the Virtual HSM Instances page of the CloudHSM console. In the top navigation bar, select the destination region.
Find the target HSM and, in the Actions column, click .
NoteIf the Upgrade option is not available, the data backup and restoration feature may already be enabled for this HSM.
On the Upgrade page, enable data backup and restoration, select the number of images, read and select the terms of service, and then click Buy Now. Follow the prompts to complete the payment.
After the purchase is successful, backups are created automatically on schedule. You can see the name of the generated backup on the Data Backup and Restoration page.
Default
Go to the Data Backup and Restore Management page of the CloudHSM console. In the top navigation bar, select the destination region.
On the Data Backup and Restoration page, locate the Default backup and click Enable in the Actions column.
In the Enable Backup dialog box, select the HSM instance that you want to back up and click OK.
Click the Backup Name and configure the backup method on the details page.
By default, images are created manually after you enable the backup. You can also set up automatic backups, which allows Cloud Hardware Security Module to generate images based on your specified schedule.
Backup method
Description
Automatic image generation
ImportantSwitching from manual to automatic backups deletes existing image data. Conversely, switching from automatic back to manual preserves existing image data.
On the backup details page, click Manage Automatic Backup Tasks.
In the Manage Automatic Backup Tasks dialog box, configure the Images, Backup Cycle, and Backup Start Time, and then click OK.
NoteAfter you enable or modify the automatic backup settings, Cloud Hardware Security Module creates an image at the next scheduled start time and then continues to back up data based on the specified period.
For example, if you modify the automatic backup settings at 05:00 on June 1 and set the Backup Start Time to 07:00, a backup is created at 07:00 on June 1, and subsequent backups follow the specified period. If you make the change at 10:00, the next backup occurs at 07:00 on June 2.
The Default backup has only one image. The next automatic backup overwrites the existing image.
Manual image generation
On the backup details page, click Generate Image in the Actions column for the image.
In the Generate Image dialog box, click OK.
Image creation takes about 1 minute, and then the status Status changes from Creating to Enabled.
Paid
Purchase a backup.
Go to the Data Backup and Restore Management page of the CloudHSM console. In the top navigation bar, select the destination region.
Click Create Backup, configure the parameters, and then click Create Backup.
Parameter
Description
Region
Select the region where the HSM instance to be backed up is located.
HSM Service Type
Select HSM Data Backup.
Image Expansion
The number of available backup images. You can set this to a maximum of 100.
Quantity
The number of backups. Each backup can back up one HSM.
Subscription Duration
The subscription duration for the backup. We recommend that you enable auto-renewal to prevent permanent data loss due to an expired subscription.
Confirm the order details, read and select the terms of service, and then click Pay to complete the purchase.
After the purchase is successful, you can view the newly purchased backup on the Data Backup and Restoration page.
Locate the target backup, click Enable in the Actions column. In the Enable Backup dialog box, select the HSM instance to back up and click OK.
Click the Backup Name and configure the backup method on the details page.
By default, images are created manually after you enable the backup. You can also set up automatic backups, which allows Cloud Hardware Security Module to generate images based on your specified schedule.
Backup method
Description
Automatic image generation
ImportantSwitching from manual to automatic backups deletes existing image data. Conversely, switching from automatic back to manual preserves existing image data.
On the backup details page, click Manage Automatic Backup Tasks.
In the Manage Automatic Backup Tasks dialog box, configure the Images, Backup Cycle, and Backup Start Time, and then click OK.
NoteAfter you enable or modify the automatic backup settings, Cloud Hardware Security Module creates an image at the next scheduled start time and then continues to back up data based on the specified period.
For example, if you modify the automatic backup settings at 05:00 on June 1 and set the Backup Start Time to 07:00, a backup is created at 07:00 on June 1, and subsequent backups follow the specified period. If you make the change at 10:00, the next backup occurs at 07:00 on June 2.
If a backup instance has multiple images configured for automatic backup, the next automatic backup overwrites the oldest image once all images have been used.
Manual image generation
On the backup details page, locate the target image ID and click Generate Image in the Actions column.
In the Generate Image dialog box, click OK.
Image creation takes about 1 minute. After the process is complete, Status changes from Creating to Enabled.
If the number of images does not meet your requirements, you can click Extend Images to increase the quantity.
Copy an image across regions
You can copy images only between regions in the Chinese mainland. After you copy an image, a new backup with the Backup Type of Cross-region Copy is automatically created in the destination region. This new backup contains the copied image. For example, you can copy an image from the China (Hangzhou) region to the China (Shanghai) region.
Go to the Data Backup and Restore Management page of the CloudHSM console. In the top navigation bar, select the destination region.
Find the target backup and click View Image in the Actions column.
Find the target Image ID and click Cross-region Copy in the Actions column.
In the Copy Image dialog box, select a Destination Region and click OK.
Switch to the destination region and view the image on the Data Backup and Restoration page.
Find the backup whose Backup Type is Cross-region Copy and click View Image in the Actions column.
NoteThis backup contains all images that have been copied from other regions and does not expire.
Find the copied image based on its creation time.
Hover over the
icon next to the image ID to view the original backup ID, original image ID, original instance ID, and original region.
Restore HSM data from an image
Using an image, you can either restore an HSM's original data or create a new, identical HSM.
The destination HSM must meet the following prerequisites:
The HSM instance must be in the same region as the backup. For a cross-region restoration, you must first copy the image to the destination region.
The HSM instance must be of the same type as the source HSM.
The HSM is not part of a cluster.
The HSM status is Not Enabled or Stopped.
The HSM has not been initialized.
Prepare an HSM instance.
If no HSM instance is available in the destination region, purchase one first. For more information, see Purchase an HSM instance.
ImportantDo not enable the HSM instance after purchase.
If the destination HSM is already in use, contact Alibaba Cloud technical support to stop and reset the instance.
Find the target image.
Go to the Data Backup and Restore Management page of the CloudHSM console. In the top navigation bar, select the destination region.
On the Data Backup and Restoration page, find the target image.
For same-region restoration: Find the target backup and click View Image in the Actions column.
For cross-region restoration: Find the backup whose Backup Type is Cross-region Copy and click View Image in the Actions column.
Locate the target Image ID and click Restore Instance in the Actions column.
In the Restore Instance dialog box, select a Instance and click OK.
After the restoration is successful, the data from the image is copied to the destination HSM.
Reset a backup
The reset operation unbinds a backup from its HSM instance. Only backups with a Backup Type of Paid or Default can be reset. Resetting deletes only the data within the images and does not affect your services.
When you reset a backup, all data in its images is permanently deleted. Proceed with caution.
Go to the Data Backup and Restore Management page of the CloudHSM console. In the top navigation bar, select the destination region.
On the Data Backup and Restoration page, locate the target backup and click Reset in the Actions column.
In the confirmation dialog box, verify the information and click OK. After the reset is complete, the backup status changes to Disabled.