This page lists the interface specifications, supported encryption algorithms, and performance data for each dedicated Hardware Security Module (HSM) type available in Alibaba Cloud KMS.
HSM comparison
The following table summarizes key differences between the two dedicated HSM types to help you select the right model.
| Attribute | Thales HSM | TASS Crypto Engine HSM |
|---|---|---|
| Compliance | PCI DSS, FIPS 140-2 Level 3, PCI PIN, domestic cryptographic certification | FIPS 140-2 Level 3, Chinese national cryptography law |
| Chinese cryptographic algorithms | Not specified | SM2, SM3, SM4 |
| Interface standards | Not specified | GM/T 0018-2012, PKCS#11, SunJCE |
| LMK quota | 1–20 (expandable via license) | — |
| CPS quota | 25–10,000 (expandable via license) | — |
Thales HSM
A Thales HSM is a physical cryptographic device that protects sensitive data through hardware-enforced encryption and access control.
| Feature | Details |
|---|---|
| Compliance standards | PCI DSS, FIPS 140-2 Level 3, PCI PIN, and domestic cryptographic certification |
| Local Master Key (LMK) quota | 1–20 (expandable via license upgrade) |
| Calls Per Second (CPS) quota | 25–10,000 (expandable via license upgrade) |
CPS measures the HSM's maximum throughput for key block-related commands (such as PIN translation) in secure communication scenarios. Different commands have different maximum CPS values. Time-consuming operations — including RSA key generation and message authentication code, hash, encryption, and decryption calculations over large data volumes — are not covered by the CPS metric.
TASS Crypto Engine HSM
A TASS Crypto Engine HSM is a secure hardware device that delivers cryptographic services at the application layer through a dedicated key management system and an integrated encryption workflow. It supports key management, message authentication, data encryption and decryption, and digital signature generation and verification.
In addition to FIPS 140-2 Level 3 compliance, the TASS Crypto Engine HSM supports Chinese cryptographic algorithms (SM2, SM3, SM4) in alignment with national cryptography law.
Interface specifications
| Specification | Description |
|---|---|
| GM/T 0018-2012 | Cryptographic device application interface specification (Chinese national standard) |
| PKCS#11 | Cryptographic token interface standard |
| SunJCE | Java Cryptography Extension interface |
Supported algorithms
| Algorithm type | Algorithms |
|---|---|
| Symmetric encryption | SM4, DES, 3DES, AES (128-bit and 256-bit keys) |
| Asymmetric encryption | SM2, RSA (2,048–4,096 bits), Elliptic Curve Cryptography (ECC): NIST P256, BRAINPOOLP256, FRP256, and more |
| Hash | SM3, SHA1, SHA256, SHA384, SHA512 |
Performance data
The following performance figures are measured under these test conditions: 32-byte test data, TCP/IP data communication protocol, maximum 2,048 concurrent connections.
Actual performance varies based on data size, concurrent connection count, and application load. Run load tests against your specific workload to determine scaling needs.
| Operation | Throughput | Response time |
|---|---|---|
| AES128 encryption | 100,000 QPS | 0.007 s |
| AES256 encryption | 100,000 QPS | 0.007 s |
| RSA2048 key generation | 40 pairs/s | 1.003 s |
| RSA2048 public key operation | 40,000 QPS | 0.008 s |
| RSA2048 private key operation | 4,000 QPS | 0.018 s |
| SM3 hashing | 100,000 QPS | 0.007 s |
| SM4 encryption | 100,000 QPS | 0.009 s |
| SM2 key generation | 45,000 QPS | 0.004 s |
| SM2 signing | 45,000 QPS | 0.003 s |
| SM2 signature verification | 20,000 QPS | 0.006 s |
QPS = queries per second.