Managed HSM is an important feature of Key Management Service (KMS) to enable easy access to certified Hardware Security Modules (HSMs) provided by Alibaba Cloud.

An HSM is a hardware device that performs cryptographic operations, and generates and stores keys. You can protect your most sensitive workloads and assets provided by Alibaba Cloud, by hosting keys in these highly secure hardware devices.

Supported regions

You can use Managed HSM in the following regions. This feature will be provided in more regions later.
Region name City Certification type Region ID
China (Beijing) Beijing SCA certification cn-beijing
China (Shanghai) Shanghai SCA certification cn-shanghai
China (Hong Kong) Hong Kong FIPS 140-2 Level 3 cn-hongkong
Singapore (Singapore) Singapore FIPS 140-2 Level 3 ap-southeast-1
Australia (Sydney) Sydney FIPS 140-2 Level 3 ap-southeast-2

Compliance

Managed HSM can help you meet stringent regulatory requirements. Based on different regulatory requirements in each local market, Alibaba Cloud offers HSMs certified by different third-party organizations to meet your localization and internationalization requirements.

For regions in mainland China,

  • SCA certification: Alibaba Cloud HSMs have passed the certification by the agencies designated by State Cryptography Administration (SCA).
  • SCA compliance: Alibaba Cloud Managed HSM complies with the relevant technical requirements and specifications of SCA and provides Alibaba Cloud users with commercial cryptographic algorithms that comply with national and industrial standards.
For regions outside mainland China,
  • FIPS validation for hardware: Alibaba Cloud HSMs, including their hardware and firmware, have passed FIPS 140-2 Level 3 validation (Certificate #3254).
  • FIPS 140-2 Level 3 compliance: Alibaba Cloud Managed HSM runs under FIPS Approved Level 3 mode of operation.
  • PCI DSS: Alibaba Cloud Managed HSM complies with PCI DSS requirements.

High security assurance

  • Hardware protection

    Managed HSM helps you protect keys in KMS through hardware mechanisms. The plaintext key material of CMKs is only processed inside HSMs for key operations. It is kept within the hardware security boundary of HSMs.

  • Secure key generation

    Randomness is crucial to the encryption strength of keys. Managed HSM uses a random number generation algorithm that is secure and licensed and has high system entropy seeds to generate key material. This protects keys from being recovered or predicted by attackers.

Ease of operation

Alibaba Cloud fully manages HSM hardware. This eliminates the costs otherwise incurred by the following hardware management operations:
  • Hardware lifecycle management
  • HSM cluster management
  • High availability and scalability management
  • System patching
  • Most disaster recovery operations

Ease of integration

Native key management capabilities allow you to use the following features:
  • Key version management
  • Automatic key rotation
  • Resource tag management
  • Controlled authorization

These features enable rapid integration of your applications with HSMs, as well as integration of ECS, RDS, and other cloud services with Managed HSM. You can implement static encryption of cloud data without paying any R&D costs.

Key control

Managed HSM allows you to better control encryption keys on the cloud and move the most sensitive computing tasks and assets to the cloud.

When using both Managed HSM and Bring Your Own Key (BYOK), you can have full control over the following items:

  • How key material is generated
  • The key material that you import to the managed HSM cannot be exported, but can be destroyed.
  • Key lifecycle
  • Key persistence

Cost-effectiveness

You can benefit from the pay-as-you-go billing method of cloud computing. Compared with user-created key infrastructure by using local HSMs, Managed HSM eliminates hardware procurement costs, as well as subsequent R&D and O&M costs.