This topic describes how to purchase a Cloud Hardware Security Module (HSM) instance.
Usage scope
HSM instances can be accessed only from Elastic Compute Service (ECS) instances within the same virtual private cloud (VPC). Before you purchase an HSM instance, make sure that the following requirements are met:
A VPC is created, and at least one vSwitch is configured in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.
An ECS instance is created in the VPC. For more information, see Purchase a custom instance.
NoteThis ECS instance is used to install the HSM management tool and is not intended for use as a business server.
To manage HSM instances in the Chinese mainland, the ECS instance must run a Windows operating system.
To manage HSM instances outside the Chinese mainland, the ECS instance must run a Linux operating system.
Purchase GVSM (SM), GVSM (NIST FIPS)
CloudHSM requires dual-zone deployment and operates in cluster mode. When you purchase HSM instances, you configure the cluster settings. The cluster is automatically created after the purchase is complete.
Log on to the HSM Management Console. In the top navigation bar, select the destination region.
On the VSMs page, click Create HSM.
On the CloudHSM purchase page, configure the parameters as described in the following table. Then, click Buy Now and complete the payment.
Parameter
Description
Region
The region in which to deploy the HSM instance. For more information about available regions, see Supported regions and zones.
NoteThe HSM instance must be in the same region as your ECS instance and VPC.
Device Model
The device model of the HSM instance. For more information about the performance of each device model, see Performance of virtual HSM instances.
Deployment Mode
Dual-zone deployment requires you to deploy at least two HSMs in different zones to implement cross-zone disaster recovery and ease cluster creation.
NoteOnly zones in the same region can communicate with each other over the network.
CloudHSM and ECS instances can be in different zones.
Cluster Name
The name must be 1 to 24 characters in length. It must start with an English letter, Chinese character, or digit and can contain digits, underscores (_), and hyphens (-).
VPC ID
Select the VPC to which the HSM instance belongs.
Add to Whitelist
Yes (Recommended): HSM adds the VPC CIDR block to the cluster whitelist. All IP addresses in this VPC can access the HSM cluster.
NoteIf you want only specific IP addresses in the VPC to access the hsm cluster, you can modify the whitelist after the cluster is created. For more information, see Use an HSM instance cluster.
No: No whitelist is configured. All IP addresses can access the HSM cluster.
vSwitch
Select two to four vSwitches. The vSwitches must be in different zones.
Automatic Certificate Generation
Yes (Recommended): Certificates are automatically generated and can be viewed on the Instance Details page of the HSM.
No: You must manually generate and configure certificates. For more information, see (Optional) Step 2: Generate Certificates and Configure TLS Mutual Authentication and Step 3: Import Cluster Certificates.
Network Type
The network type. Only VPC is supported.
Data Backup and Restoration
Supports HSM backup and restoration to ensure data security and persistence.
If an HSM is released, its backup images are retained for 90 days. After the period elapses, the backup images are automatically deleted. The cross-region image replication feature is provided to enhance disaster recovery capabilities.
Image Quota
The number of backup images. Each image captures the data of one HSM instance.
The image of an HSM is automatically created at 00:00 (UTC+8) every day after the HSM is initialized. When the number of images reaches the upper limit, the system automatically deletes the earliest image.
Quantity
The number of HSM instances to purchase. The default is two.
Duration
The subscription period.
We recommend that you enable auto-renewal to prevent service interruptions or resource release due to expiration. The auto-renewal period is monthly. Charges are automatically processed at the current market price before the instance expires. You can disable auto-renewal at any time. To enable auto-renewal, select Auto-renewal Recommended.
NoteWhen you select Auto-renewal Recommended, Alibaba Cloud automatically deducts the fee from your payment account nine calendar days before the subscription expires. Make sure your account has a sufficient balance to avoid payment failure.
After you complete the purchase, view the HSM instance on the VSMs page. The HSM cluster is created in approximately 5 minutes.
(Optional) Obtain the UKEY for the HSM: If you purchase an HSM in the Chinese mainland, decide whether to configure a UKEY as needed. The following describes the effects of using a UKEY and provides configuration recommendations:
NoteHSM instances outside the Chinese mainland do not require UKEY configuration.
Users who use a hardware key management instance of Alibaba Cloud KMS: Do not register a UKEY administrator using the HSM management tool. Otherwise, the HSM certificate cannot be automatically rotated, which affect the normal use of the hardware-protected key.
ImportantIf no UKEY administrator is registered, CloudHSM automatically rotates the certificate before it expires. No manual intervention is required.
Other users:
If you registered a UKEY administrator: Automatic certificate rotation is not supported. Before the certificate expires, generate a new certificate and update it on both the client SDK and the server-side HSM.
If you did not register a UKEY administrator: Automatic certificate rotation is supported. Before the certificate expires, CloudHSM automatically generates a new certificate. Download and update the client certificate from the console. CloudHSM automatically uploads the server certificate to the HSM.
References
To purchase and configure an HSM cluster that is associated with a KMS hardware key management instance, see Configure an HSM cluster for a KMS hardware key management instance.