A dedicated Hardware Security Module (HSM) provides a physical HSM that is exclusively used by you, offering many cryptographic services. In contrast to virtual HSMs, you can have complete management permissions over all HSMs within dedicated HSM groups, without sharing resources with other users. This topic describes dedicated HSMs and how they are used.
What is a dedicated HSM?
A dedicated HSM complies with PCI DSS and FIPS 140-2 Level 3 standards, and meets the requirements of the Chinese cryptographic certification and PCI PIN standards. It supports RSA, 3DES, and SHA series algorithms, allowing you to securely and reliably manage keys. It provides dependable encryption and decryption operations for cloud business data using various encryption algorithms. For applications that require high performance or high availability, multiple dedicated HSMs can be deployed to form an HSM group, delivering cryptographic services to multiple application servers.
Why a dedicated HSM?
Compliance
A dedicated HSM complies with PCI DSS and FIPS 140-2 Level 3 standards, fulfilling the requirements for national cryptographic certification and PCI PIN standards, which can meet compliance needs, including commercial cryptography application security assessments.
Security
The dedicated HSM instance is physically isolated, providing a higher level of security for data processing.
High reliability and high availability
Efficiently handle numerous concurrent requests to ensure business continuity and operational efficiency.
For high-performance or high-availability business scenarios, you can deploy multiple dedicated HSMs to create an HSM group, delivering cryptographic services to numerous application servers.
Deploy multiple zones to provide disaster recovery capabilities through cross-zone instances.
Standardization
A dedicated HSM supports common development interfaces for seamless integration with applications.
Ease of use and maintenance
A dedicated HSM provides automatic operation and maintenance capabilities for full management, enabling you to focus on encryption tasks without the complexities of managing the HSM.
How is it used
To enhance security and availability, you can deploy two or more dedicated HSMs in at least two different zones within the same region and configure them into an HSM group.
You can access HSM through SDK using the endpoint domain name or ENI IP. When applications interact with these HSMs, the optimal HSM for connection is selected through load balancing. Additionally, by using the PrivateLink service, data transmission is ensured to occur within the private network for further security. This architecture design also ensures that the network paths between each HSM are independent, improving the system's redundancy and fault recovery capability.
The following architecture diagram illustrates a configuration with two HSMs:
The costs of the Network Load Balancer (NLB) and PrivateLink depicted above are included in the HSM service. You do not need to pay any additional fees for these services.
Purchase instructions
The delivery cycle for dedicated HSMs varies depending on the HSM model and delivery region. If you have any questions or custom requirements, contact us.