Cloud Hardware Security Module (CloudHSM) is a cloud-based hardware encryption solution. CloudHSM lets you use multiple encryption algorithms to reliably encrypt and decrypt your business data in the cloud. This helps ensure data protection and meet regulatory compliance requirements for data security.
Overview
CloudHSM uses hardware security modules (HSMs) that are certified by the State Cryptography Administration or FIPS 140-2 Level 3. CloudHSM uses virtualization technology to help you meet regulatory compliance requirements for data security and protect the privacy of your business data in the cloud. CloudHSM lets you securely manage keys and use various encryption algorithms for reliable data encryption and decryption.
CloudHSM can perform the following cryptographic computations:
Generate, store, import, export, and manage encryption keys, including symmetric keys and asymmetric key pairs.
Use symmetric and asymmetric algorithms to encrypt and decrypt data.
Use hash functions to calculate message digests and hash-based message authentication codes (HMACs).
Digitally sign data and verify signatures.
Generate secure random data.
HSMs
CloudHSM provides resources that are virtualized from the hardware cryptographic modules of HSMs. A CloudHSM instance offers the same level of compliance as a hardware cryptographic module and can perform data encryption and decryption. CloudHSM provides virtual HSMs and dedicated HSMs. For more information about the parameters of the HSMs, see HSM instance performance data.
Virtual HSMs
Virtual HSMs are deployed in a multi-tenant environment where hardware resources are shared by multiple users. They meet the requirements of the PRC Cryptography Law and are certified by the international security standard FIPS 140-2 Level 3. Virtual HSMs are suitable for small and medium-sized enterprises or applications that do not require high performance. The supported HSM types are:
HSMs in the Chinese mainland: General-purpose SM-series HSM.
HSMs outside the Chinese mainland: General-purpose FIPS HSM.
Dedicated HSMs
Dedicated HSMs provide hardware resources that are exclusively used by a single user. These dedicated hardware resources ensure high throughput and low latency. They provide the highest level of physical security with a tamper-proofing design and comply with the FIPS 140-2/3 international security standards. Dedicated HSMs are suitable for large enterprises, financial institutions, or scenarios that require extremely high security and performance. They are physically dedicated and exclusive HSMs certified by professional authorities, such as the State Cryptography Administration, the National Institute of Standards and Technology (NIST) (FIPS 140-2 Level 3 certified), and PCI HSM v3.
Scenarios
Migrate HSM applications from on-premises data centers to cloud servers
When migrating on-premises HSM applications to cloud servers, you can use CloudHSM to replace on-premises HSMs. This lets you perform data encryption, decryption, signing, and signature verification to protect your data security in the cloud.
Provide compliant encryption and decryption for encrypted applications
For example, you can use CloudHSM to encrypt and decrypt sensitive data for various applications, including Alibaba Cloud dedicated KMS, database encryption applications, and file storage encryption applications.
Support SSL offloading for HTTPS websites
GVSM in the Chinese mainland provide the SSL offloading feature. This reduces the performance load on servers and improves the response speed for client access. CloudHSM also uses HSMs to generate certificate private keys. This strengthens the protection of private keys and prevents them from being leaked from the server, which improves security.
Protect private keys of certificates
For digital certificates issued by certification authorities (CAs), you can store the certificate private keys in an HSM and use the HSM to perform signing operations. This protects the security of your certificate private keys.
Oracle TDE integration
CloudHSM integrates with Oracle databases to provide the transparent data encryption (TDE) feature. TDE stores encryption keys in an HSM outside the database and uses the keys to encrypt sensitive data in data files. This ensures the security of sensitive data.
Sensitive data encryption
In industries such as public services, e-commerce, and finance, you can integrate CloudHSM with applications to encrypt, process, or store sensitive user data to meet security and compliance requirements.
Benefits
Meet regulatory compliance requirements
HSMs in the Chinese mainland have passed the inspection and certification of the State Cryptography Administration and comply with the technical specifications of the cryptography industry. These specifications include GM/T 0028-2014 Security Technical Requirements for Cryptographic Modules, GM/T 0030-2014 Technical Specification for Server HSM.
HSMs outside the Chinese mainland are FIPS 140-2 Level 3 certified.
Industry-standard interfaces and encryption algorithms
CloudHSM supports a wide range of industry-standard interfaces and encryption algorithms. For more information about the interface specifications and encryption algorithms supported by CloudHSM, see HSM instance performance data.
Secure key management
CloudHSM separates permissions for device management and key management. Alibaba Cloud can only manage the HSM hardware, which primarily involves monitoring device availability and activating services. Keys are managed exclusively by you. Alibaba Cloud cannot access your keys.
Scalability
With CloudHSM, you can flexibly adjust the number of deployed HSMs based on your business needs. You can use load balancing to meet various encryption and decryption requirements.
Cluster High Availability
CloudHSM supports cluster management. By adding multiple HSMs to a cluster, you can increase high availability and reduce the risk of business interruptions and core data loss.
Convenient cloud usage
With CloudHSM, you can deploy purchased HSMs in your specified virtual private cloud (VPC). You can use a specified private IP address for secure management and calls, and easily integrate the HSMs with your business applications on cloud servers.
Supported regions and zones
The Chinese mainland
Region
Region ID
Zone
China (Hangzhou)
cn-hangzhou
Zone A, Zone G
China (Shanghai)
cn-shanghai
Zone A, Zone B, Zone F
China (Beijing)
cn-beijing
Zone A, Zone F, Zone K
China (Shenzhen)
cn-shenzhen
Zone A, Zone E
China (Chengdu)
cn-chengdu
Zone A, Zone B
Outside the Chinese mainland
Region
Region ID
Zone
China (Hong Kong)
cn-hongkong
Zone B, Zone C
Singapore
ap-southeast-1
Zone A, Zone B
Malaysia (Kuala Lumpur)
ap-southeast-3
Zone A, Zone B
SAU (Riyadh - Partner Region)
me-central-1
Zone A, Zone B
Indonesia (Jakarta)
ap-southeast-5
Zone A, Zone B
Glossary
HSM instance
An HSM instance is a resource virtualized from the hardware cryptographic module of an HSM. An HSM instance offers the same level of compliance as a hardware cryptographic module, implements all the features of CloudHSM, and performs data encryption and decryption.
Authentication card (USB Key)
A unique identity credential for CloudHSM. It is used with the HSM client management tool to manage keys. It is provided only for HSMs in the Chinese mainland.
Cluster service
CloudHSM provides a cluster service. This service associates a group of HSM instances that are in the same region but in different zones and are used for the same business purpose. This enables unified management and provides high availability, load balancing, and horizontal scaling for cryptographic computations in business applications. A cluster consists of one master HSM instance and multiple non-master HSM instances. HSM instances in a zone within a cluster use the same subnet.