A dedicated Hardware Security Module (HSM) gives you exclusive access to a physical HSM device for cryptographic operations and secure key management. Unlike virtual HSMs, a dedicated HSM is not shared with other users — you have full management control over every HSM in your group.
What is a dedicated HSM?
Alibaba Cloud dedicated HSM complies with PCI DSS and FIPS 140-2 Level 3 standards, and meets Chinese cryptographic certification and PCI PIN requirements. It supports RSA, 3DES, and SHA algorithm series for secure key management and encryption and decryption operations on cloud business data.
For high-performance or high-availability requirements, deploy multiple dedicated HSMs as an HSM group to serve multiple application servers.
Why use a dedicated HSM?
Compliance
Dedicated HSM meets PCI DSS, FIPS 140-2 Level 3, Chinese cryptographic certification, and PCI PIN standards — covering commercial cryptography application security assessment requirements.
Physical isolation
Each dedicated HSM instance is physically isolated, providing a stronger security boundary for sensitive data processing compared to shared environments.
High availability and reliability
Handles large volumes of concurrent requests to maintain business continuity.
Supports HSM group configuration — deploy multiple dedicated HSMs across availability zones to serve multiple application servers.
Cross-zone deployment provides disaster recovery through independent, redundant network paths between HSMs.
Standard integration interfaces
Dedicated HSM supports common development interfaces for seamless integration with existing applications.
Managed operations
Dedicated HSM provides automatic operation and maintenance, so you can focus on your encryption workloads rather than managing the underlying hardware.
How it works
To achieve high availability, deploy two or more dedicated HSMs across at least two availability zones within the same region, and configure them as an HSM group.
Access your HSM group through the SDK using either an endpoint domain name or an ENI IP. When your application connects, load balancing automatically routes each request to the optimal HSM. PrivateLink keeps all data transmission within the private network, and independent network paths between HSMs improve redundancy and fault recovery.
The following diagram illustrates a two-HSM configuration:
The costs of Network Load Balancer (NLB) and PrivateLink shown in the diagram are included in the HSM service. No additional fees apply.
Purchase instructions
The delivery cycle for dedicated HSMs varies by HSM model and delivery region. If you have questions or custom requirements, contact us.