All Products
Search

This Product

    Key Management Service:Purchase an HSM instance

    Document Center

    Key Management Service:Purchase an HSM instance

    Last Updated:Dec 09, 2025

    This topic describes how to purchase a hardware security module (HSM) instance.

    Prerequisites

    HSM instances can be accessed only from Elastic Compute Service (ECS) instances within the same virtual private cloud (VPC). Before you purchase an HSM instance, complete the following tasks:

    • Create a virtual private cloud (VPC) and a vSwitch within the VPC. For more information, see Create a VPC with an IPv4 CIDR block.

    • Create an ECS instance. For more information, see Create an instance using the wizard.

      Note

      This ECS instance is used to install the HSM management tool and is not intended for your business server.

      • To manage HSM instances in the Chinese mainland, the ECS instance must run Windows.

      • To manage HSM instances outside the Chinese mainland, the ECS instance must run Linux.

    Purchase GVSM (SM)

    Cloud Hardware Security Module (CloudHSM) supports only Dual-zone deployment, which requires a cluster. When you purchase the instances, you must configure the cluster information. The cluster is automatically created after the purchase is complete.

    1. Log on to the Cloud Hardware Security Module console. In the top navigation bar, select the required region.

    2. On the VSMs page, click Buy Now.

    3. On the purchase page, configure the parameters as described in the following table. Then, click Buy Now and complete the payment.

      Configuration Item

      Description

      Region

      The region of the HSM instance. For more information about the supported regions, see Supported regions and zones.

      Note

      The HSM instance must be in the same region as your ECS instance and VPC.

      Device Model

      The type of the HSM instance. For more information about the performance of each HSM instance type, see Performance of virtual HSM instances.

      Deployment Mode

      Only Dual-zone deployment is supported. This means you must configure at least two HSM instances in different zones to enable cross-zone disaster recovery and simplify cluster creation. CloudHSM specifies the zones. You do not need to set them.

      Note

      • Only zones in the same region can communicate with each other over the network.

      • CloudHSM and ECS instances can be in different zones.

      Cluster Name

      The name must be 1 to 24 characters in length. It must start with a letter or a digit and can contain digits, underscores (_), and hyphens (-).

      VPC ID

      Select the VPC to which the HSM instance belongs.

      Add to Whitelist

      • Yes (Recommended): HSM adds the VPC CIDR block to the cluster whitelist. All IP addresses in this VPC can access the HSM cluster.

        Note

        If you want only specific IP addresses in the VPC to access the HSM cluster, you can modify the whitelist after the cluster is created. For more information, see Modify the cluster name and access whitelist.

      • No: No whitelist is configured. All IP addresses can access the HSM cluster.

      vSwitch

      Select two to four vSwitches. The vSwitches must be in different zones.

      Automatic Certificate Generation

      • Yes (Recommended): Automatically generates a client certificate, a server certificate, and a self-signed CA certificate. The client and the HSM server cluster use a bidirectional TLS authenticated encryption channel to ensure transmission security. The certificate validity period is 10 years by default.

      • No: You must manually generate a client certificate, a server certificate, and a self-signed CA certificate.

      Data Backup and Restoration

      This feature lets you back up and restore HSM instances to ensure data security and durability. Each backup can back up the data of one HSM instance.

      Backup images are retained for 90 days after an HSM instance is released. After 90 days, the images are automatically deleted. This feature also supports cross-region replication of images to enhance disaster recovery capabilities.

      Image Quota

      The number of images in a backup. Each image can back up the data of one HSM instance once.

      An HSM instance is automatically backed up once a day at 00:00 (UTC+8) to generate an image. When the number of images reaches the upper limit, the system automatically overwrites the earliest image.

      Quantity

      Select the number of HSM instances to purchase. By default, two HSM instances are purchased.

      Duration

      Select the subscription duration.

      To prevent permanent key loss if you do not renew your subscription on time, select Auto-renewal. When you select Auto-renewal, Alibaba Cloud automatically deducts the fee from your payment account nine calendar days before the subscription expires. Make sure your account has a sufficient balance to avoid payment failure.

      After the purchase is complete, you can view the HSM instance on the VSMs page. The creation of the HSM cluster takes approximately 5 minutes.

    4. (Optional) If required, obtain the UKEY for the HSM instance.

      Important

      If your business requires bidirectional TLS authentication, review the following information before you decide whether to use a UKEY. This helps ensure smooth certificate rotation before expiration.

      • If you use a hardware key management instance of Alibaba Cloud Key Management Service (KMS), do not register a UKEY administrator using the HSM management tool. If no UKEY administrator is registered, CloudHSM automatically rotates the certificate before it expires. No action is required from you.

      • For other users:

        • If you registered a UKEY administrator, automatic certificate rotation is not supported. Before the certificate expires, you must generate a new certificate and update it on both the client software development kit (SDK) and the server-side HSM.

        • If you did not register a UKEY administrator, automatic certificate rotation is supported. Before the certificate expires, CloudHSM automatically generates a new certificate. You must download the new certificate from the console and update the client certificate. CloudHSM automatically uploads the server certificate to the HSM.

    Purchase GVSM (NIST FIPS)

    CloudHSM supports only Dual-zone deployment, which requires a cluster. Therefore, you must purchase at least two HSM instances. After the purchase is complete, you must manually create an HSM cluster.

    1. Log on to the Cloud Hardware Security Module console. In the top navigation bar, select the required region.

    2. On the VSMs page, click Buy Now.

    3. On the CloudHSM purchase page, configure the parameters as described in the following table. Then, click Buy Now and complete the payment.

      Configuration Item

      Description

      Region

      The region of the HSM instance. For more information about the supported regions, see Supported regions and zones.

      Note

      The HSM instance must be in the same region as your ECS instance and VPC.

      Device Model

      The type of the HSM instance. For more information about the performance of each HSM instance type, see Performance of virtual HSM instances.

      Deployment Mode

      Only Dual-zone deployment is supported. This means you must configure at least two HSM instances in different zones to enable cross-zone disaster recovery and simplify cluster creation. CloudHSM specifies the zones. You do not need to set them.

      Note

      • Only zones in the same region can communicate with each other over the network.

      • CloudHSM and ECS instances can be in different zones.

      Data Backup and Restoration

      This feature lets you back up and restore HSM instances to ensure data security and durability. Each backup can back up the data of one HSM instance.

      Backup images are retained for 90 days after an HSM instance is released. After 90 days, the images are automatically deleted. This feature also supports cross-region replication of images to enhance disaster recovery capabilities.

      Image Quota

      The number of images in a backup. Each image can back up the data of one HSM instance once.

      An HSM instance is automatically backed up once a day at 00:00 (UTC+8) to generate an image. When the number of images reaches the upper limit, the system automatically overwrites the earliest image.

      Quantity

      Select the number of HSM instances to purchase. By default, two HSM instances are purchased.

      Duration

      Select the subscription duration.

      To prevent permanent key loss if you do not renew your subscription on time, select Auto-renewal. When you select Auto-renewal, Alibaba Cloud automatically deducts the fee from your payment account nine calendar days before the subscription expires. Make sure your account has a sufficient balance to avoid payment failure.

      After the purchase is complete, you can view the HSM instance on the VSMs page. The Status of the VSM is New.

    Reference

    For information about how to purchase and configure an HSM instance that is associated with a KMS hardware key management instance, see Configure an HSM cluster for a KMS hardware key management instance.