This topic describes how to use the Managed HSM feature to create and use keys.


An Alibaba Cloud account is created. To create an Alibaba Cloud account, visit the account registration page.

Background information

Managed HSM is supported only in some regions. For more information about the supported regions, see Supported regions.

Create a key in the KMS console

  1. Log on to the KMS console.
  2. On the Keys page, click Create Key.
  3. In the Create Key dialog box, enter an alias in the Alias Name field.
  4. Select HSM from the Protection Level drop-down list.
  5. Enter a description. Click OK.
    After the key is created, you can view its Protection Level attribute on the Keys page and Key Details page.

Use Alibaba Cloud CLI to create a key

  1. Use Alibaba Cloud CLI to run the following command:
    aliyun kms CreateKey --ProtectionLevel HSM --Description "Key1 in Managed HSM"
  2. Call the DescribeKey operation to check the protection level of the created key.
      "KeyMetadata": {
        "CreationDate": "2019-07-04T13:14:15Z",
        "Description": "Key1 in Managed HSM",
        "KeyId": "1234abcd-12ab-34cd-56ef-12345678****",
        "KeyState": "Enabled",
        "KeyUsage": "ENCRYPT/DECRYPT",
        "DeleteDate": "",
        "Creator": "111122223333",
        "Arn": "acs:kms:cn-hongkong:111122223333:key/1234abcd-12ab-34cd-56ef-12345678****",
        "Origin": "Aliyun_KMS",
        "MaterialExpireTime": "",
        "ProtectionLevel": "HSM"
      "RequestId": "8eaeaa8b-4491-4f1e-a51e-f95a4e54620c"

Import external keys to a managed HSM

You can import a key from user-created key infrastructure to an HSM managed by Alibaba Cloud (referred to as managed HSM). The prerequisite is that you have set Protection Level to HSM when you create the external key. For more information about how to create an external key, see Import key material.

After you trigger the import, KMS performs the following operations:
  • Calls the GetParametersForImport operation. During this process, KMS generates a key pair in a managed HSM to import the external key based on the HSM protection level and returns the public key of the key pair.
  • Calls the ImportKeyMaterial operation. During this process, KMS imports the encrypted external key material to the managed HSM and then obtains the plaintext of the key material by using the key unwrapping mechanism of the managed HSM. The plaintext of the key material can no longer be exported.

Manage and use keys

You can apply all management and cryptographic features supported by KMS to keys created in managed HSMs. The features are as follows:
  • Enable and disable keys.
  • Manage the lifecycle of keys.
  • Manage the aliases of keys.
  • Manage the tags of keys.
  • Call cryptographic API operations.

Integration with other Alibaba Cloud services

Keys in managed HSMs can be used to protect native data in other Alibaba Cloud services such as Elastic Compute Service (ECS), ApsaraDB for RDS, and Object Storage Service (OSS) over the standard API of KMS. The prerequisite is that the Alibaba Cloud service supports server-side encryption by using user-managed keys. To use this feature, you only need to configure a CMK for the Alibaba Cloud service to support server-side encryption and host the CMK in a managed HSM.