All Products
Search

This Product

    Key Management Service:SSL offloading through HSM

    Document Center

    Key Management Service:SSL offloading through HSM

    Last Updated:Nov 14, 2025

    Hardware Security Module (HSM) supports SSL offloading, which migrates SSL negotiation and encryption/decryption processing from servers to HSM, reducing the load pressure on servers.

    What is SSL offloading

    SSL offloading is a network optimization technology that transfers SSL/TLS encryption and decryption operations from application servers to dedicated devices. Backend servers only need to process decrypted plaintext requests, freeing up CPU resources. Certificates and private keys are centrally managed on the offloading device, eliminating the need to install certificates on each server. This improves server performance and simplifies certificate management. SSL offloading is suitable for high-traffic HTTPS service scenarios such as websites and API services, along with scenarios in industries such as finance and healthcare that require centralized control of encrypted traffic.

    Security

    • Internal network security: HSM communicates with backend servers through VPC, ensuring security through internal network channels.

    • Physical isolation and protection of private keys: Private keys are always stored in tamper-proofing hardware of HSM. Even if HSM is compromised, attackers cannot obtain private keys through export or replication. Security is ensured through physical isolation.

    • Centralized key management and access control: HSM centrally manages all certificate private keys, avoiding scattered storage across multiple servers or devices. HSM grants different permissions to users by setting roles such as administrator or operator.

    • Cluster deployment: HSM meets load balancing and disaster recovery requirements through cluster deployment.

    Compliance

    • Algorithm compliance: HSM meets the requirements of national cryptography laws.

    • Auditable operations: HSM generates detailed logs that record the time, operation type, and other information for each private key usage to meet audit requirements.

    Typical deployment diagram

    The following figure shows a typical deployment solution for implementing SSL offloading on Alibaba Cloud ECS.

    image

    In the SSL offloading scenario, the Nginx proxy handles client TLS handshakes. The TASSL engine serves as a bridge between Nginx and HSM, forwarding Nginx's cryptographic operation requests to HSM through standard interfaces such as PKCS#11. The HSM instance management tool is used for operations such as initializing HSM and creating keys.

    The entire TLS handshake process is as follows:

    1. The client establishes a TCP connection with Nginx and initiates a TLS handshake.

    2. When Nginx needs to use a private key for TLS authentication, Nginx sends an operation request to HSM through the TASSL engine.

      Note

      The private key is always stored in HSM and will not be loaded into the memory of the Nginx server.

    3. HSM performs TLS authentication-related decryption and signing operations and returns the results to the TASSL engine.

    4. Nginx completes the TLS handshake based on the results returned by HSM.

    5. An encrypted channel is established, and subsequent requests are decrypted by Nginx into plaintext and forwarded to the backend service.