To use a hardware key management instance of Key Management Service (KMS), you must connect it to a CloudHSM cluster, which provides automatic data synchronization, load balancing, and high availability.
Architecture example
Integrating KMS with a CloudHSM cluster offers both key management flexibility and hardware-level security, meeting Guomi or FIPS 140-2 Level 3 compliance requirements. KMS manages the entire key lifecycle, which simplifies the use of HSMs. The HSMs, in turn, provide a secure hardware environment for storing key material. A mutually authenticated Transport Layer Security (TLS) channel secures all communication.
The HSM management tool can only be installed on an Alibaba Cloud ECS instance, which is then used to connect to the master HSM for configuration. Alternatively, you can use a local terminal, but you must ensure it has network connectivity to the HSM.
Usage notes
-
A KMS hardware key management instance can be associated only with a GVSM.
-
The HSMs, the KMS hardware key management instance, and the ECS instance must be in the same region and the same VPC.
-
To manage HSMs in the Chinese mainland, the ECS instance must run a Windows operating system. To manage HSMs outside the Chinese mainland, the ECS instance must run CentOS 8 or Alibaba Cloud Linux.
Supported regions and zones
The Chinese mainland
Region
Region ID
Zone
China (Hangzhou)
cn-hangzhou
Zone A, Zone G
China (Shanghai)
cn-shanghai
Zone A, Zone B, Zone F
China (Beijing)
cn-beijing
Zone A, Zone F, Zone K
China (Shenzhen)
cn-shenzhen
Zone A, Zone E
China (Chengdu)
cn-chengdu
Zone A, Zone B
China (Heyuan)
cn-heyuan
Zone A, Zone B
Outside the Chinese mainland
Region
Region ID
Zone
China (Hong Kong)
cn-hongkong
Zone B, Zone C
Singapore
ap-southeast-1
Zone A, Zone B
Malaysia (Kuala Lumpur)
ap-southeast-3
Zone A, Zone B
SAU (Riyadh - Partner Region)
me-central-1
Zone A, Zone B
Indonesia (Jakarta)
ap-southeast-5
Zone A, Zone B
Prerequisites
-
You have created a VPC and two vSwitches in two different zones. For more information, see Create a VPC and vSwitches.
-
You have created an ECS instance in the same VPC as the master HSM. For more information, see Create an instance using the wizard.
Note-
To manage HSMs in the Chinese mainland, the ECS instance must run a Windows operating system. To manage HSMs outside the Chinese mainland, the ECS instance must run CentOS 8 or Alibaba Cloud Linux.
-
This topic uses an ECS instance as an example. You can also manage HSMs from a local terminal. If you use a local terminal, you must connect it to the HSM instance's VPC by using a VPN or an Express Connect circuit. For more information, see Connect a PC or Android client to a VPC by using an SSL-VPN connection or Connect an on-premises data center to a VPC by using an Express Connect circuit.
-
Configure the cluster
GVSM (Guomi) cluster
Step 1: Purchase a CloudHSM cluster
A cluster associates a group of HSM instances that are in different zones of the same region and are used for the same business purpose, enabling unified management and providing high availability, load balancing, and horizontal scalability for cryptographic operations.
Log on to the HSM Management Console. In the top navigation bar, select the destination region.
-
On the VSMs tab, click Create HSM.
-
On the CloudHSM purchase page, configure the parameters as described below, then click Buy Now and complete the payment.
NoteFor other parameters, configure them based on your business needs. For more information, see Purchase a GVSM (Guomi) instance.
-
Crypto Service Type: Select General-purpose Server HSM GVSM.
-
Whitelist: Select Yes. This allows all IP addresses in the VPC to access the CloudHSM cluster.
-
Auto-generate Certificates: Select Yes. The HSM automatically generates the certificates required for encrypted communication and completes the certificate configuration. KMS automatically obtains the relevant certificate files and completes the client-side configuration. You do not need to manage the certificate generation and configuration process. KMS and the CloudHSM cluster use a mutually authenticated TLS channel to secure data in transit.
Important-
Do not register a USB key administrator for the HSM. The certificates are valid for 10 years, and the HSM can automatically rotate them before expiration. Registering a USB key administrator causes the rotation to fail.
-
-
Cluster Name: The name of the cluster to which the HSM belongs.
NoteIf you configure cluster information, the HSM automatically creates a cluster based on your settings.
-
VPC: Select the VPC for the HSM.
-
vSwitch: Select two to four vSwitches. The vSwitches must be in different zones.
-
-
After the purchase is complete, you can view the HSM instance on the VSMs page. Cluster creation takes about 5 minutes.
Step 2: Synchronize cluster data
Check the cluster's synchronization mode to determine if you need to manually synchronize data. On the HSM instance page, view the cluster type in the Cluster column of the instance list.
-
Automatic synchronization cluster
Data in the cluster is synchronized automatically. No manual action is required.
-
Manual synchronization cluster
After you create and activate the cluster for the first time, you must manually synchronize data from the master HSM to the subordinate HSMs. When you scale out the cluster, data is automatically synchronized to the new HSM instances.
-
In the Actions column, click Synchronize Cluster to synchronize data from the master HSM to the subordinate HSM. During synchronization, the cluster status is Synchronizing.
-
After the synchronization is complete, verify that the HSM digests are consistent.
On the instance details page, locate Instance Digest and click the View link. In the table that appears, verify that the digest hash values are identical for all instances in the cluster. If the values are identical, the cluster configuration is complete. If they differ, repeat the synchronization. If the digests remain inconsistent after retrying, contact us.
-
FIPS-compliant cluster
Log on to the HSM Management Console. In the top navigation bar, select the destination region.
-
On the VSMs tab, click Create HSM.
-
On the CloudHSM purchase page, configure the parameters as described below, then click Buy Now and complete the payment.
NoteFor other parameters, configure them based on your business needs. For more information, see GVSM (NIST FIPS).
-
Crypto Service Type: Select GVSM.
-
Auto-generate Certificates: Select Yes. This automatically generates client and server certificates. You can view the generated certificates on the HSM Instance Details page.
ImportantIf you select Yes for Auto-generate Certificates, the HSM automatically enables the HSM instances and activates the cluster. If you select No, refer to Use a GVSM (NIST FIPS) CloudHSM cluster to manually complete the Create and activate the cluster and Start the HSM client (hsm_proxy) steps.
-
Cluster Name: The name of the cluster to which the HSM belongs.
-
VPC: Select the VPC for the HSM.
-
vSwitch: Select two to four vSwitches. The vSwitches must be in different zones.
-
-
After the purchase is complete, you can view the HSM instance on the VSMs page. Cluster creation takes about 5 minutes.
Configure hardware key management instance
In the Key Management Service console, purchase and configure a KMS hardware key management instance.
Step 1: Purchase a KMS hardware instance
Log on to the Key Management Service console. In the top navigation bar, select a region. In the left-side navigation pane, choose .
-
On the Instances page, click the Hardware Key Management tab, and then click Create Instance.
-
Select the specifications for the KMS instance and click Buy Now.
NoteFor more information about the parameters, see Purchase and enable a KMS instance.
-
Key Management Type: Hardware Key Management
-
Region: Select the region where your HSMs are located.
-
Step 2: Enable the hardware instance
-
Click the Hardware Key Management tab. Find the target KMS hardware key management instance and click Actions in the Enable column.
-
In the Connect to HSM panel, configure the parameters and click Connect to HSM.
NoteFor more information about the parameters, see Enable a hardware key management instance.
-
Select Cluster: Select the GVSM (Guomi) or FIPS-compliant HSM cluster that you purchased and configured.
-
Configure HSM Access Secret.: If you selected Yes for Auto-generate Certificates when you purchased the GVSM (Guomi) or FIPS-compliant HSM, the HSM automatically generates the required certificates. No manual configuration is needed.
-
VPC: This defaults to the VPC ID of the bound HSM. This value is read-only and cannot be changed.
-