This topic describes different types of hardware security modules (HSMs) that are supported by Data Encryption Service. This topic also describes the API specifications, encryption algorithms, and performance references of the HSMs.
Data Encryption Service supports general virtual security modules (GVSMs). The following section describes the features, encryption algorithms, performance references, and API specifications of the GVSMs.
- Feature description
The hardware and firmware of GVSMs are validated by Federal Information Processing Standards (FIPS) 140-2 Level 3. Data Encryption Service allows you to manage keys in a secure and reliable manner and ensures reliable data encryption and decryption by using multiple encryption algorithms.
- API specifications
- Encryption algorithms
- Symmetric encryption algorithms: Data Encryption Standard (DES), Triple DES (3DES), and Advanced Encryption Standard (AES) (128-, 192-, and 256-bit keys are supported.)
- Asymmetric encryption algorithms: Rivest–Shamir–Adleman (RSA) with a key length ranging from 1,024 bits to 4,096 bits, and Elliptic Curve Cryptography (ECC)
- Digest algorithms: Secure Hash Algorithm 1 (SHA-1), SHA-256, SHA-384, and SHA-512
- Performance references
- Computing performance of RSA-2048 signature verification: 1,100 times per second
- EC P256 point multiplication performance: 315 times per second
- AES-256 duplex communication encryption speed: 300 MB per second
- RSA-2048 key generation performance: 0.5 pairs per second
- Random number generation speed: 20 MB per second
HSM cluster feature
Data Encryption Service provides the HSM cluster feature. You can use the feature to associate and manage a group of HSMs that reside in different zones of the same region and are used by the same service in a centralized manner. The feature provides high availability, load balancing, and scale-out capabilities for cryptographic operations. An HSM cluster includes one master HSM and multiple non-master HSMs. In a cluster, HSMs that reside in the same zone use the same subnet.