How to use an HSM - Key Management Service - Alibaba Cloud Documentation Center

Set up a Cloud Hardware Security Module (Cloud HSM) cluster from scratch: enable a hardware security module (HSM) as the master, create and activate the cluster, connect the HSM client, and generate your first cryptographic key.

Warning

Do not use test keys in production environments. Test keys are intended for validation only and do not provide the security guarantees required in production.

To use an HSM cluster with a Key Management Service (KMS) instance of the hardware key management type, see Configure an HSM cluster for a KMS instance of the hardware key management type instead. Steps 4 and 5 in this guide do not apply in that scenario.

Prerequisites

Before you begin, make sure you have:

A purchased and enabled HSM. See Purchase and enable an HSM.
An ECS instance running CentOS 8 or Alibaba Cloud Linux, in the same Virtual Private Cloud (VPC) as the HSM. The ECS instance is used to install the HSM management tool — not as a business server. See Get started with Linux instances.

Step 1: Enable an HSM as the master HSM

An HSM cluster consists of one master HSM and multiple non-master HSMs. Before creating a cluster, designate one HSM as the master.

Go to the VSMs page of the Cloud Hardware Security Module console. In the top navigation bar, select a region.
On the VSMs page, find the HSM and click Enable in the Actions column.

In the Configure HSM instance dialog box, set the following parameters and click OK. When the configuration succeeds, the HSM Status changes to Enabled.

Parameter	Description
VPC ID	The VPC to bind to the HSM.
VPC subnet	The subnet to assign to the HSM in the VPC.
Private IP address	The private IP address to assign to the HSM. Must belong to the assigned subnet. The system reserves IP addresses whose last octet is 253, 254, or 255 — do not use these.
Configure HSM whitelist	The IP addresses or CIDR blocks allowed to access the HSM. Supports up to 10 entries (one per row). If left blank, all IP addresses can access the HSM. If a cluster whitelist is configured, it takes precedence over the HSM whitelist. The `0.0.0.0/0` entry is not supported — to allow all IP addresses, leave the whitelist blank.

Step 2: Create and activate an HSM cluster

This step establishes your ownership and control over the cluster through a certificate-based trust chain. The process involves:

Creating the cluster and specifying network configuration
Generating a self-signed certificate authority (CA) and using it to sign the cluster's certificate signing request (CSR)
Initializing the master HSM with the HSM management tool

HSMs in the same zone use the same VPC subnet.

Create the cluster

On the VSMs page, find the master HSM and click Create cluster in the Actions column.

In the Create and activate cluster panel, complete the Create cluster step and click Next.

Parameter	Description
Cluster name	A unique name for the cluster. Maximum 24 characters.
Configure whitelist	The IP addresses or CIDR blocks allowed to access the cluster. Supports up to 10 entries (one per row). The cluster whitelist takes precedence over any HSM-level whitelist. The `0.0.0.0/0` entry is not supported — to allow all IP addresses, leave the whitelist blank.
Specify vSwitches	The vSwitches for the cluster. At least 2 vSwitches are required.

Activate the cluster

Import a cluster certificate

The cluster activation process uses a CA certificate you generate locally to sign the cluster's CSR. This proves your ownership of the HSMs and creates the trust foundation for all future HSM connections.

In the Upload cluster certificate section, click Cluster CSR certificate to download the CSR file (cluster.csr). Upload the file to your ECS instance.
Generate a private key and set a password for it. This creates issuerCA.key.
```
openssl genrsa -aes256 -out issuerCA.key 2048
```
Create a self-signed CA certificate. This creates issuerCA.crt, which you will use in later steps.
```
openssl req -new -x509 -days 3652 -key issuerCA.key -out issuerCA.crt
```
Sign the cluster CSR using your CA certificate and key. This creates cluster.crt, which you will upload to the console in the next step.
This command uses cluster.csr, issuerCA.crt, and issuerCA.key.
```
openssl x509 -req -in cluster.csr -days 3652 -CA issuerCA.crt -CAkey issuerCA.key -set_serial 01 -out cluster.crt
```
Back in the Activate cluster step in the console, import the certificate and click Submit:
- In the Enter the issuer certificate in PEM format section, paste the contents of issuerCA.crt.
- In the Enter the issued cluster certificate in PEM format section, paste the contents of cluster.crt.

Initialize the master HSM

Important

The master HSM can only be initialized using the HSM management tool on a Linux operating system.

Step 1: Download the HSM management tool

The tool version varies depending on the region where the HSM is located.

Indonesia (Jakarta) region

CentOS
- Method 1: Go to hsm-client-v2.09.07.02-1.202411041707.x86_64.rpm to download the HSM management tool.
- Method 3: On the VSMs page, find the HSM instance and click the icon in the Specifications column.
- Method 3: On the Activate Cluster page, click Download HSM Management Tool.
Debian
Go to hsm-client-v2.09.07.02-1.202411041707.x86_64.deb to download the HSM management tool.

All regions except Indonesia (Jakarta)

The tool version depends on your region:

Indonesia (Jakarta) region
- CentOS: Download hsm-client-v2.09.07.02-1.202411041707.x86_64.rpm, or click Download HSM management tool on the Activated cluster page.
- Debian: Download hsm-client-v2.09.07.02-1.202411041707.x86_64.deb
All other regions
- CentOS: Choose one of the following methods:
  - Download hsm-client-v2.03.15.10-1.x86_64.rpm
  - Run the following command (requires internet access from the ECS instance): ``bash wget -O hsm-client-v2.03.15.10-1.x86_64.rpm 'https://yundun-hsm4.oss-ap-southeast-1.aliyuncs.com/hsm-client-v2.03.15.10-1.x86_64.rpm' ``
  - Click Download HSM management tool on the Activate cluster page.
- Debian: Download hsm-client-2.03.15.10-20240710_1.x86_64.deb

Step 2: Install the HSM management tool

The tool installs to /opt/hsm.

CentOS — replace <TOOL_NAME> with the actual filename (for example, hsm-client-v2.09.07.02-1.202411041707.x86_64.rpm):
```
sudo yum install -y <TOOL_NAME>
```
Debian — replace <TOOL_NAME> with the actual filename (for example, hsm-client-2.03.15.10-20240710_1.x86_64.deb):
```
sudo dpkg -i <TOOL_NAME>
```

Step 3: Update the client configuration file

Edit the servers section of /opt/hsm/etc/hsm_mgmt_tool.cfg:

Set name and hostname to the private IP address of the master HSM (visible on the Instances page).
Set owner_cert_path to the full path of issuerCA.crt.

Example configuration:

{
 "servers": [
 {
 "name" : "172.16.XX.XX",
 "hostname" : "172.16.XX.XX",
 "port" : 2225,
 "certificate": "/opt/hsm/etc/client.crt",
 "pkey": "/opt/hsm/etc/client.key",
 "CAfile": "",
 "CApath": "/opt/hsm/etc/certs",
 "ssl_ciphers": "",
 "server_ssl" : "yes",
 "enable" : "yes",
 "owner_cert_path":"<issuerCA.crt_FILE_PATH>"
 }],
 "scard": {
 "enable": "no",
 "port": 2225,
 "ssl": "no",
 "ssl_ciphers": "",
 "certificate": "cert-sc",
 "pkey": "pkey-sc"
 }
}

Step 4: Log on to the master HSM and verify users

Log on to the master HSM:

/opt/hsm/bin/hsm_mgmt_tool /opt/hsm/etc/hsm_mgmt_tool.cfg

Run listUsers to see the default users:

cloudmgmt>listUsers
Users on server 0(172.16.XX.XX):
Number of users found:2

    User Id            User Type          User Name                     MofnPubKey       LoginFailureCnt            2FA
         1             PRECO          admin                                       NO               0                     NO
         2             AU             app_user                                    NO               0                     NO

The default users are admin (precrypto officer, PRECO) and app_user (app user, AU).

Step 5: Promote the PRECO to a crypto officer (CO)

Log on as the PRECO:

server0>loginHSM PRECO admin password
loginHSM success

Change the PRECO password. This promotes admin from PRECO to CO:
```
cloudmgmt>changePswd PRECO admin <NewPassword>
```

Verify the role change with listUsers:

cloudmgmt>listUsers
Users on server 0(172.16.XX.XX):
Number of users found:2

    User Id            User Type          User Name                     MofnPubKey       LoginFailureCnt            2FA
         1             CO             admin                                       NO               0                     NO
         2             AU             app_user                                    NO               0                     NO

admin now appears as CO.

Step 6: Create a crypto user (CU)

Warning

Create the CU before adding any non-master HSMs to the cluster. CU information is synchronized to non-master HSMs only when they are added — HSMs added before the CU is created will not have the CU.

Run createUser to create a CU. Username: up to 20 ASCII characters. Password: 8–32 ASCII characters.
If you are configuring the cluster for a KMS hardware key management instance, use kmsuser as the username.
```
createUser CU crypto_user <enter password>
```

Run listUsers to confirm the CU was created:

cloudmgmt>listUsers
Users on server 0(172.16.XX.XX):
Number of users found:3

    User Id         User Type       User Name                  MofnPubKey    LoginFailureCnt         2FA
         1          CO          admin                                    NO               0               NO
         2          AU          app_user                                 NO               0               NO
         3          CU          crypto_user                              NO               0               NO

Step 7: Confirm master HSM status and proceed

In the Activate cluster step in the console, click the update icon to refresh the master HSM status, then click Next.

Add non-master HSMs

In the Add HSM step, add non-master HSMs to the cluster as prompted and click Complete.

You can purchase additional HSMs and add them to the cluster later based on your needs.

Step 3: Start the hsm_proxy HSM client

hsm_proxy is the HSM client that runs on your ECS instance and routes cryptographic requests to the HSM cluster.

Edit /opt/hsm/etc/hsm_proxy.cfg: Example configuration:

Set server.hostname to the IP address of the VPC to which the current instance belongs.
Set client.e2e_owner_crt_path to the full path of issuerCA.crt (the self-signed CA certificate you created in Step 2).

{

    "ssl": {
        "certificate": "/opt/hsm/etc/client.crt",
        "pkey": "/opt/hsm/etc/client.key",
        "CApath": "/opt/hsm/etc/certs",
        "server_ssl": "yes",
        "server_ch_ssl_ciphers": "default"
    },

    "client": {
        "socket_type" : "UNIXSOCKET",
        "tcp_port" : 1111,
        "zoneid" : 0,
        "workers" : 1,
        "daemon_id" : 1,
        "reconnect_attempts": -1,
        "reconnect_interval": 1,
        "log_level": "INFO",
        "sslreneg": 0,
        "CriticalAlertScript": "",
        "e2e_owner_crt_path" : "<issuerCA.crt file path>",
        "create_object_minimum_nodes" : 1,
        "logfiles_location" : ""
    },

    "loadbalance" : {
        "enable" : "yes",
        "prefer_same_zone": "no",
        "success_rate_weight" : 1,
        "relative_idleness_weight" : 1
    },

    "dualfactor": {
        "enable" : "no",
        "port" : 2225,
        "certificate" : "certificate.crt",
        "pkey" : "pkey.pem",
        "dualfactor_ssl": "yes",
        "dualfactor_ch_ssl_ciphers": "default"
    },

    "server": {
        "hostname": "<instance ip>",
        "port": 2224
    }
}

Start hsm_proxy:

/opt/hsm/bin/hsm_proxy /opt/hsm/etc/hsm_proxy.cfg

The output shows the log file path:

logfiles_location is not specified, logs will be available in current directory

Logs will be available in liquidSecurity.1.WKCrty.log file

Verify the connection by checking the log file:

tail liquidSecurity.1.WKCrty.log

A successful connection includes the following line:

2023-10-28T13:33:05Z liquidSecurity INF: e2e_handle_client_request: HSM FIPS STATE 2

The full expected output looks like:

2023-10-28T13:33:05Z liquidSecurity INF: check_preferred_srv_status_noclock: New preferred server node id:0
2023-10-28T13:33:05Z liquidSecurity INF: do_e2e_encryption_handshake: Trying to login to server as new server connection is established
2023-10-28T13:33:05Z liquidSecurity INF: e2e_handle_client_request:  Got Authorize session response
2023-10-28T13:33:05Z liquidSecurity INF: get_partition_info: Get pHSM Info using e2e mgmtch
2023-10-28T13:33:05Z liquidSecurity INF: e2e_handle_client_request: Authorize session SUCCESS
2023-10-28T13:33:05Z liquidSecurity INF: e2e_handle_client_request: Got Partition Info
2023-10-28T13:33:05Z liquidSecurity INF: e2e_handle_client_request: GetPartitionInfo success 0 : HSM Return: SUCCESS
2023-10-28T13:33:05Z liquidSecurity INF: e2e_handle_client_request: HSM FIPS STATE 2
2023-10-28T13:33:06Z liquidSecurity INF: libevmulti_init: Initializing events
2023-10-28T13:33:06Z liquidSecurity INF: libevmulti_init: Ready !

Step 4: Create a key

Skip this step if you are configuring the cluster for a KMS hardware key management instance. See Configure an HSM cluster for a hardware key management instance of KMS.

Start key_mgmt_tool:
```
/opt/hsm/bin/key_mgmt_tool
```

Log on as the crypto user (CU):

Command:  loginHSM -u CU -s crypto_user -p <enter password>

        Cfm3LoginHSM returned: 0x00 : HSM Return: SUCCESS

        Cluster Status:
        Node id 0 status: 0x00000000 : HSM Return: SUCCESS

Generate a symmetric key:

Command:  genSymKey -l testkey -t 31 -s 32

        Cfm3GenerateSymmetricKey returned: 0x00 : HSM Return: SUCCESS

        Symmetric Key Created.  Key Handle: 6

        Cluster Status:
        Node id 0 status: 0x00000000 : HSM Return: SUCCESS

Note the key handle (6 in this example) — use it to reference the key in subsequent operations.

Confirm the key exists with findKey:

Command:  findKey

        Total number of keys present: 1

        Number of matching keys from start index 0::0

        Handles of matching keys:
        6

        Cluster Status:
        Node id 0 status: 0x00000000 : HSM Return: SUCCESS

        Cfm3FindKey returned: 0x00 : HSM Return: SUCCESS

Exit key_mgmt_tool:
```
Command:  exit
```

Step 5: Encrypt and decrypt data

Skip this step if you are configuring the cluster for a KMS hardware key management instance. See Configure an HSM cluster for a hardware key management instance of KMS.

To use the HSM cluster for cryptographic operations, choose one of the following interfaces:

What's next

To manage your cluster — add or remove HSMs, rename the cluster, or update the access whitelist — see Create and activate a NIST FIPS-validated HSM cluster.