Cloud Hardware Security Module (HSM) is a cloud-based hardware encryption service built on physical hardware security modules certified by the State Cryptography Administration or validated to FIPS 140-2 Level 3. It lets you manage cryptographic keys, run encryption and decryption operations, and meet regulatory compliance requirements — without managing physical HSM hardware.
Your keys stay yours. Device management and key management are separated: Alibaba Cloud manages the HSM hardware (availability monitoring and service provisioning) but cannot access your keys. You retain full control over all key material and user management within the HSM.
How it works
Cloud HSM uses virtualization technology to provision HSM capacity from certified hardware. Each HSM instance has the same compliance status as a physical device and supports the full set of cryptographic operations:
Generate, store, import, export, and manage symmetric keys and asymmetric key pairs.
Encrypt and decrypt data using symmetric and asymmetric algorithms.
Compute message digests and hash-based message authentication codes (HMACs) using hash functions.
Digitally sign data and verify signatures.
Generate cryptographically secure random data.
Cloud HSM provides technical consulting services for device initialization, cluster configuration, monitoring, and SDK integration, and supplies commercial cryptography product certification certificates for HSM devices. It does not include detailed documentation from third-party commercial cryptography application security assessment agencies. For more information, contact the Alibaba Cloud public cloud commercial cryptography assessment service.
HSM device types
Cloud HSM offers two device types: virtual security modules (VSMs) and dedicated HSMs. Choose based on your isolation, throughput, and compliance requirements.
| Virtual security module (VSM) | Dedicated HSM | |
|---|---|---|
| Tenancy | Multi-tenant (shared hardware) | Single-tenant (exclusive hardware) |
| Performance | Moderate throughput | High throughput, low latency |
| Compliance | PRC Cryptography Law; FIPS 140-2 Level 3 | FIPS 140-2, FIPS 140-3; State Cryptography Administration; PCI HSM v3 |
| Best for | Small and medium-sized businesses with moderate performance requirements | Large enterprises, financial institutions, and scenarios requiring the highest security and performance |
| Tamper-resistant design | — | Yes |
VSM variants by region:
Chinese mainland: General-purpose SM-compliant VSM
Outside the Chinese mainland: General FIPS-compliant VSM
For detailed performance specifications, see Performance data of virtual cryptographic machines.
Use cases
Migrate on-premises HSM workloads to cloud
When migrating your data center HSM workloads to Elastic Compute Service (ECS), replace the on-premises hardware with Cloud HSM to run encryption, decryption, signing, and signature verification, protecting your cloud data.
Encrypt sensitive application data
Integrate Cloud HSM with Alibaba Cloud Dedicated KMS, database encryption applications, or file storage applications to encrypt or store sensitive user data in compliance with applicable security regulations. This applies across public services, e-commerce, and financial industries.
Offload SSL/TLS processing for HTTPS servers
General-purpose SM-compliant VSMs (GVSMs) in the Chinese mainland support SSL offloading, reducing server CPU load and improving client response times. Cloud HSM also generates certificate private keys, keeping them off your application servers.
Protect certificate private keys
Store private keys for certificates issued by certification authorities (CAs) inside Cloud HSM. Use Cloud HSM to perform signing operations to protect the security of your certificate private keys.
Enable Oracle Transparent Data Encryption (TDE)
Integrate Cloud HSM with Oracle databases to store TDE master encryption keys outside the database. Keys are held in the HSM and used to encrypt sensitive data in database files, ensuring the security of sensitive data.
Benefits
Regulatory compliance. VSMs in the Chinese mainland are certified by the State Cryptography Administration and meet GM/T 0028-2014 (Security Requirements for Cryptographic Modules) and GM/T 0030-2014 (Specification for Server Cryptographic Machine). VSMs outside the Chinese mainland are validated to FIPS 140-2 Level 3.
Industry-standard interfaces and algorithms. Cloud HSM supports a wide range of encryption algorithms and interfaces. For the full list, see Performance data of virtual cryptographic machines.
Isolated key management. Alibaba Cloud cannot access your keys. Device management (hardware availability, service enablement) is separate from key management (your exclusive responsibility).
Elastic scaling. Adjust the number of HSM instances to match demand. Use load balancing to distribute cryptographic workloads across multiple instances.
Cluster high availability. Group multiple HSM instances across zones in the same region into a cluster. A cluster includes one master HSM and multiple non-master HSMs, all sharing the same subnet per zone. This reduces the risk of service interruption and data loss.
VPC deployment. Deploy Cloud HSM inside your Virtual Private Cloud (VPC) and access it via a private IP address, enabling seamless integration with your existing cloud applications.
Supported regions and zones
The Chinese mainland
Region
Region ID
Zone
China (Hangzhou)
cn-hangzhou
Zone A, Zone G
China (Shanghai)
cn-shanghai
Zone A, Zone B, Zone F
China (Beijing)
cn-beijing
Zone A, Zone F, Zone K
China (Shenzhen)
cn-shenzhen
Zone A, Zone E
China (Chengdu)
cn-chengdu
Zone A, Zone B
China (Heyuan)
cn-heyuan
Zone A, Zone B
Outside the Chinese mainland
Region
Region ID
Zone
China (Hong Kong)
cn-hongkong
Zone B, Zone C
Singapore
ap-southeast-1
Zone A, Zone B
Malaysia (Kuala Lumpur)
ap-southeast-3
Zone A, Zone B
SAU (Riyadh - Partner Region)
me-central-1
Zone A, Zone B
Indonesia (Jakarta)
ap-southeast-5
Zone A, Zone B
Chinese mainland
| Region | Region ID | Zones |
|---|---|---|
| China (Hangzhou) | cn-hangzhou | Zone A, Zone G |
| China (Shanghai) | cn-shanghai | Zone A, Zone B, Zone F |
| China (Beijing) | cn-beijing | Zone A, Zone F, Zone K |
| China (Shenzhen) | cn-shenzhen | Zone A, Zone E |
| China (Chengdu) | cn-chengdu | Zone A, Zone B |
| China (Heyuan) | cn-heyuan | Zone A, Zone B |
Outside the Chinese mainland
| Region | Region ID | Zones |
|---|---|---|
| China (Hong Kong) | cn-hongkong | Zone B, Zone C |
| Singapore | ap-southeast-1 | Zone A, Zone B |
| Malaysia (Kuala Lumpur) | ap-southeast-3 | Zone A, Zone B |
| SAU (Riyadh - Partner Region) | me-central-1 | Zone A, Zone B |
| Indonesia (Jakarta) | ap-southeast-5 | Zone A, Zone B |
Key concepts
HSM instance. A virtualized resource created from the hardware cryptographic module of an HSM device. It meets the same compliance requirements as a physical HSM device and supports all HSM features, including data encryption and decryption.
Authentication card (USB Key). A unique identifier for a Cloud HSM instance used with the HSM client management tool to manage keys. Available only for HSMs in the Chinese mainland.
Cluster service. A logical grouping of multiple HSM instances across different zones in the same region, all serving the same application. Clusters provide centralized management, high availability, load balancing, and horizontal scalability for cryptographic operations. Each cluster has one master HSM instance and multiple non-master HSM instances. All HSM instances in a zone share the same subnet.