All Products
Search

This Product

    Key Management Service:Managed HSM overview

    Document Center

    Key Management Service:Managed HSM overview

    Last Updated:Mar 31, 2026

    Managed HSM is a Key Management Service (KMS) feature that gives you dedicated, certified hardware security modules (HSMs) on Alibaba Cloud. Your most sensitive keys are processed and stored only inside validated hardware—never exposed outside the hardware security boundary—and you manage none of the underlying infrastructure.

    Benefits

    • Hardware-backed key protection: Plaintext key material is processed and stored only inside HSMs. Keys never cross the hardware security boundary.

    • Certified compliance: HSMs are validated to State Cryptography Administration (SCA) standards in the Chinese mainland and to Federal Information Processing Standards (FIPS) 140-2 Level 3 and Payment Card Industry Data Security Standard (PCI DSS) in other regions.

    • No infrastructure overhead: Alibaba Cloud handles hardware lifecycle management, HSM cluster management, high availability, scalability, system patching, and most disaster recovery operations. You control the HSMs and the generation and use of your encryption keys.

    • Pay-as-you-go pricing: Avoid the upfront cost of procuring on-premises HSMs and the ongoing R&D and O&M costs.

    Use cases

    • Encryption at rest for cloud workloads: Integrate Managed HSM with Elastic Compute Service (ECS) and ApsaraDB RDS to encrypt data at rest without R&D investment. Key version management, automatic key rotation, resource tag management, and controlled authorization are built in.

    • Full key lifecycle control with BYOK: Use Managed HSM together with the Bring Your Own Key (BYOK) feature to control how key material is generated, processed, and persisted. Imported key material can be destroyed but cannot be exported.

    • Meeting strict compliance requirements: Organizations in financial services, government, and other regulated industries can use Managed HSM to satisfy FIPS 140-2 Level 3, PCI DSS, or SCA certification requirements without deploying and certifying their own HSM hardware.

    Supported regions

    RegionCertification typeRegion ID
    China (Beijing)State Cryptography Administration (SCA) certificationcn-beijing
    China (Zhangjiakou)SCA certificationcn-zhangjiakou
    China (Hangzhou)SCA certificationcn-hangzhou
    China (Shanghai)SCA certificationcn-shanghai
    China (Shenzhen)SCA certificationcn-shenzhen
    China (Hong Kong)FIPS 140-2 Level 3cn-hongkong
    SingaporeFIPS 140-2 Level 3ap-southeast-1
    Malaysia (Kuala Lumpur)FIPS 140-2 Level 3ap-southeast-3
    Indonesia (Jakarta)FIPS 140-2 Level 3ap-southeast-5
    US (Virginia)FIPS 140-2 Level 3us-east-1

    Compliance

    Alibaba Cloud offers HSMs certified by different third-party organizations to meet local regulatory requirements. Financial services, government, and other regulated industries can use these certifications to satisfy their compliance obligations.

    Regions in the Chinese mainland

    • SCA certification: Alibaba Cloud HSMs have passed certification by agencies designated by the State Cryptography Administration (SCA).

    • SCA compliance: HSMs comply with SCA technical requirements and provide commercial cryptographic algorithms that meet national and industrial standards.

    Regions outside the Chinese mainland

    • FIPS 140-2 Level 3 validation: HSM hardware and firmware have passed FIPS 140-2 Level 3 validation. HSMs run in FIPS Approved Level 3 mode of operation.

    • PCI DSS: HSMs comply with Payment Card Industry Data Security Standard (PCI DSS) requirements.

    Check whether an HSM meets your specific compliance requirements before use.

    How it works

    Hardware protection

    HSMs are highly secure hardware devices that perform cryptographic operations and generate and store keys. The plaintext key material of your keys is processed only inside HSMs and kept within their hardware security boundary at all times.

    Secure key generation

    Managed HSMs use a licensed random number generation algorithm with high entropy to generate key material. This protects keys from being recovered or predicted by attackers.

    Key control with BYOK

    When you use Managed HSM together with BYOK, you have full control over:

    • How key material is generated

    • How key material is processed (imported key material can be destroyed but cannot be exported)

    • The lifecycle of keys

    • The persistence of keys