This topic describes how to use managed hardware security modules (HSMs) to create and use customer master keys (CMKs).

Background information

Managed HSMs are supported only in some regions. For more information, see Supported regions.

Create a CMK in the KMS console

  1. Log on to the KMS console.
  2. In the left-side navigation pane, click Keys.
  3. Click Create Key.
  4. In the Create Key dialog box, set the KeyStore, Key Spec, Purpose, Alias Name, Protection Level, Description, Rotation Period, and Key Material Source parameters.
    • Set the Protection Level parameter to Hsm.
    • For more information about the parameters, see Create a CMK.
  5. Click OK.
    After the CMK is created, you can view its protection level in the Protection Level column.

Create a CMK by using Alibaba Cloud CLI

  1. Call the CreateKey operation to create a CMK.
    aliyun kms CreateKey --ProtectionLevel HSM --Description "Key1 in Managed HSM"
  2. Call the DescribeKey operation to query the protection level of the created CMK.
    aliyun kms DescribeKey --KeyId 1234abcd-12ab-34cd-56ef-12345678****

    Expected output:

      "KeyMetadata": {
        "CreationDate": "2019-07-04T13:14:15Z",
        "Description": "Key1 in Managed HSM",
        "KeyId": "1234abcd-12ab-34cd-56ef-12345678****",
        "KeyState": "Enabled",
        "KeyUsage": "ENCRYPT/DECRYPT",
        "DeleteDate": "",
        "Creator": "151266687691****",
        "Arn": "acs:kms:cn-hongkong:151266687691****:key/1234abcd-12ab-34cd-56ef-12345678****",
        "Origin": "Aliyun_KMS",
        "MaterialExpireTime": "",
        "ProtectionLevel": "HSM"
      "RequestId": "8eaeaa8b-4491-4f1e-a51e-f95a4e54620c"

Import external CMKs to a managed HSM

You can import an external CMK from user-managed key infrastructure to a managed HSM. The prerequisite is that you have set the Protection Level parameter to HSM when you create the external CMK. For more information about how to create an external CMK, see Import key material in the KMS console.

After you trigger the import, KMS performs the following operations:
  • Calls the GetParametersForImport operation. During this process, KMS generates a key pair in a managed HSM to import the external CMK based on the HSM protection level and returns the public key of the key pair.
  • Calls the ImportKeyMaterial operation. During this process, KMS imports the encrypted external key material to the managed HSM and then obtains the plaintext of the key material by using the key unwrapping mechanism of the managed HSM. The plaintext of the key material can no longer be exported.

Manage and use CMKs

You can apply all management and cryptographic features that are supported by KMS to CMKs created in managed HSMs. You can perform the following operations on these CMKs:
  • Enable and disable CMKs.
  • Manage the time-to-live (TTL) periods of CMKs.
  • Manage the aliases of CMKs.
  • Manage the tags of CMKs.
  • Call cryptographic API operations.

Integration with other Alibaba Cloud services

CMKs in managed HSMs can be used to protect native data in other Alibaba Cloud services, such as Elastic Compute Service (ECS), ApsaraDB RDS, and Object Storage Service (OSS), by using the standard API of KMS. The prerequisite is that the Alibaba Cloud service supports server-side encryption (SSE) by using user-managed CMKs. To use this feature, you need only to configure a CMK in a managed HSM for the Alibaba Cloud service to implement SSE.