Cloud Hardware Security Module (Cloud HSM) supports two types of virtual cryptographic machines: the General Virtual Security Module (GVSM) for the Chinese mainland, and a FIPS-certified general-purpose HSM for regions outside the Chinese mainland. This page lists the supported interface specifications, encryption algorithms, and performance benchmarks for each type.
HSMs in the Chinese mainland
GVSM (Chinese cryptographic algorithms)
Features
| Feature | Description |
|---|---|
| Description | The General Virtual Security Module (GVSM) complies with "GM/T 0028-2014 Cryptographic Module Security Technical Requirements" and "GM/T 0030-2014 Server Cryptographic Machine Technical Specification". It provides internationally common cryptographic service interfaces and supports Public Key Infrastructure (PKI) applications that use Chinese cryptographic algorithms. GVSM lets you provide cryptographic and key management services for multiple application entities, either independently or concurrently. |
| Interface specifications | GM/T 0018-2023 Cryptographic Device Application Interface Specification; PKCS#11 interface specification; SunJCE interface specification; Microsoft Cryptography API: Next Generation (CNG) |
| Encryption algorithms | Symmetric: SM1, SM4, DES, 3DES, and AES (128-bit and 256-bit keys). Asymmetric: SM2, RSA (2048-bit to 4096-bit key lengths), and ECC (NIST P-256, Brainpool P-256, and FRP-256). Digest: SM3, SHA-1, SHA-256, SHA-384, and SHA-512. |
Performance data
The following benchmarks are based on: data communication protocol — TCP/IP; maximum concurrent connections — 256; test data length — 32 bytes. Actual performance may vary based on data length and network conditions.
Performance scales linearly with cluster size. The table below shows operations per second (ops/sec) and response time for each algorithm across all cluster configurations.
Single-instance performance
Algorithm | ops/sec | Response time |
SM1 encryption | 600 | 0.006 s |
SM2 key generation | 4,000 | 0.006 s |
SM2 signature | 3,000 | 0.008 s |
SM2 signature verification | 2,000 | 0.026 s |
RSA-2048 key generation | 6 pairs/sec | 8.605 s |
RSA-2048 public key operation | 3,500 | 0.008 s |
RSA-2048 private key operation | 400 | 0.018 s |
SM3 digest | 5,000 | 0.009 s |
SM4 encryption | 5,000 | 0.003 s |
AES-128 | 7,000 | 0.004 s |
AES-256 | 6,000 | 0.004 s |
Two-node cluster
Algorithm | ops/sec | Response time |
SM1 encryption | 1,200 | 0.012 s |
SM2 key generation | 8,000 | 0.012 s |
SM2 signature | 6,000 | 0.016 s |
SM2 signature verification | 4,000 | 0.052 s |
RSA-2048 key generation | 12 pairs/sec | 17.21 s |
RSA-2048 public key operation | 7,000 | 0.016 s |
RSA-2048 private key operation | 800 | 0.036 s |
SM3 digest | 10,000 | 0.018 s |
SM4 encryption | 10,000 | 0.006 s |
AES-128 | 14,000 | 0.008 s |
AES-256 | 12,000 | 0.008 s |
Three-node cluster
Algorithm | ops/sec | Response time |
SM1 encryption | 1,800 | 0.018 s |
SM2 key generation | 12,000 | 0.018 s |
SM2 signature | 9,000 | 0.024 s |
SM2 signature verification | 6,000 | 0.078 s |
RSA-2048 key generation | 18 pairs/sec | 25.815 s |
RSA-2048 public key operation | 10,500 | 0.024 s |
RSA-2048 private key operation | 1,200 | 0.054 s |
SM3 digest | 15,000 | 0.027 s |
SM4 encryption | 15,000 | 0.009 s |
AES-128 | 21,000 | 0.012 s |
AES-256 | 18,000 | 0.012 s |
HSMs outside the Chinese mainland
General-purpose server HSM GVSM (NIST FIPS)
Cloud HSM supports FIPS-certified general-purpose cryptographic machines for regions outside the Chinese mainland.
Features
| Feature | Description |
|---|---|
| Description | The hardware and firmware are certified for FIPS 140-2 Level 3. Use this HSM type to manage keys securely and perform encryption and decryption operations with various encryption algorithms. |
| Interface specification | PKCS#11 interface specification |
| Encryption algorithms | Symmetric: DES, 3DES, and AES (128-bit, 192-bit, and 256-bit keys). Asymmetric: RSA (2048-bit to 4096-bit key lengths) and ECC. Digest: SHA-1, SHA-256, SHA-384, and SHA-512. |
| Limits | Maximum keys per HSM: 3,300. Maximum users per HSM: 1,024. Maximum username length: 31 characters. User password length: 7–32 characters. |
Performance data
The following benchmarks are based on a maximum of 5,000 concurrent connections. Actual performance may vary based on data length and network conditions.
| Algorithm | Performance |
|---|---|
| RSA-2048 signature and verification | 1,100 operations/sec |
| EC P256 point multiplication | 315 operations/sec |
| AES-256 duplex communication encryption rate | 300 MB/s |
| RSA-2048 key generation | 0.5 pairs/sec |
| Random number generation | 20 MB/s |