Dedicated Key Management Service (KMS) uses a hardware security module (HSM) cluster to enable resource isolation and cryptographic isolation. An HSM cluster is a tenant-specific cryptographic resource pool that improves security. After you purchase a dedicated KMS instance, you must configure the instance and connect the instance to an HSM cluster. This way, you can use the instance.


A dedicated KMS instance must be connected to an HSM cluster in Data Encryption Service within the same Alibaba Cloud account as the instance. Make sure that the following configurations are complete in Data Encryption Service:
  1. An HSM cluster is created, and HSM instances are added to the cluster. To ensure the high availability of the HSM cluster, we recommend that you add two or more HSM instances that reside in different zones to the cluster. For more information, see Create a cluster and Initialize the cluster.
  2. The HSM cluster is initialized and activated. The status of the cluster is Activated. The ClusterOwnerCertificate file that you configured when you initialized the cluster is used as the security domain certificate that KMS uses to access the HSM cluster. For more information, see Initialize the cluster and Activate the cluster.
  3. A crypto user named kmsuser is created, and a password is specified for the user kmsuser. KMS uses the user kmsuser to access the HSM cluster, create keys, and perform cryptographic operations. For more information, see Create a key.


  1. Log on to the KMS Console.
  2. In the upper-left corner of the page, select the region where your dedicated KMS instance resides.
    Select China (Hong Kong) or Malaysia (Kuala Lumpur).
  3. In the left-side navigation pane, click Dedicated KMS.
  4. Find your dedicated KMS instance and click Connect in the Actions column.
  5. In the Connect to HSM dialog box, specify the HSM cluster.
    Note An HSM cluster can be bound to only one dedicated KMS instance.
  6. Configure an access credential.
    • Username: the username of the crypto user. The value is fixed as kmsuser.
    • Password: the password of the user kmsuser. The password is specified when you create the user kmsuser.
    • Security domain certificate: a certificate in the PEM format. You can download the ClusterOwnerCertificate file on the Cluster Details page of the Data Encryption Service console.
  7. Click Connect to HSM.
    During the connection, the status of the dedicated KMS instance is Connecting. Wait a few minutes and refresh the page. If the status changes to Connected, the dedicated KMS instance is connected to the HSM cluster.