Cloud Hardware Security Module is a hardware encryption solution that is deployed on the cloud. Cloud Hardware Security Module provides multiple encryption algorithms that you can use to encrypt and decrypt service data in the cloud in a reliable manner. This helps ensure the security of your data and meet the regulatory compliance requirements in data security.
Overview
Cloud Hardware Security Module uses hardware security modules (HSMs) that are validated by Federal Information Processing Standards (FIPS) 140-2 Level 3. Cloud Hardware Security Module also uses virtualization technologies to help you meet regulatory compliance requirements in data security and ensure the confidentiality of service data in the cloud. Cloud Hardware Security Module allows you to manage keys in a secure and reliable manner and ensures reliable data encryption and decryption by using various encryption algorithms.
Cloud Hardware Security Module allows you to perform the following cryptographic operations:
Generate, store, import, export, and manage encryption keys, including symmetric keys and asymmetric keys.
Use symmetric and asymmetric algorithms to encrypt and decrypt data.
Use hash functions to compute message digests and hash-based message authentication codes (HMACs).
Sign data and verify signatures.
Generate secure random data.
Benefits
Secure key storage
HSMs are used to protect keys. The hardware and firmware of HSMs are validated by FIPS 140-2 Level 3.
Secure key management
HSMs and keys are separately managed. Alibaba Cloud can manage only HSMs. For example, Alibaba Cloud monitors device availability metrics. Keys can be managed only by users. Alibaba Cloud cannot obtain keys.
Scalability
When you use Cloud Hardware Security Module, you can purchase HSMs based on your business requirements and use load balancing to meet different encryption and decryption requirements.
Cluster-based high availability
Cloud Hardware Security Module supports cluster management. You can add multiple HSMs to a cluster to achieve the high availability of HSMs and reduce the risks of service interruption and core data loss.
Ease of use on the cloud
Cloud Hardware Security Module allows you to deploy HSMs in a virtual private cloud (VPC), and manage and call HSMs by using private IP addresses. Cloud Hardware Security Module also allows you to manage services on Elastic Compute Service (ECS) instances in an efficient manner.
Supported regions and zones
Region | Region ID | zone |
China (Hong Kong) | cn-hongkong | Zone B and Zone C |
Singapore | ap-southeast-1 | Zone A and Zone B |
SAU (Riyadh) | me-central-1 | Zone A and Zone B |
Malaysia (Kuala Lumpur) | ap-southeast-3 | Zone A and Zone B |
Limits
The following table describes the limits of Cloud Hardware Security Module. The limits cannot be adjusted.
Item | Limit |
The number of keys that an HSM can manage | 3,300 |
The number of users that are supported by an HSM | 1,024 |
The length of a username | 31 |
The length of a password | 7~32 |
Terms
HSM
An HSM is the virtualized resource of an HSM device. An HSM must meet the same compliance requirements as an HSM device. You can use an HSM to implement all features of Cloud Hardware Security Module. You can also use an HSM to encrypt and decrypt data.