All Products
Search

This Product

    Key Management Service:Use managed HSMs

    Document Center

    Key Management Service:Use managed HSMs

    Last Updated:Mar 31, 2026

    Key Management Service (KMS) protects keys at two levels: Software and Hsm. When you select Hsm protection, KMS generates and stores your key material inside a managed Hardware Security Module (HSM) — a dedicated hardware device where cryptographic operations are performed and key material never leaves in plaintext. This topic explains when to use HSM protection and how to create, import, and manage customer master keys (CMKs) backed by managed HSMs.

    Do I need HSM protection?

    Software protection meets the security requirements of most workloads. Choose Hsm protection when your organization requires:

    • Keys generated and stored in dedicated hardware, not software

    • The ability to verify key residency independently of the KMS service

    • Compliance with regulations that mandate hardware-backed key storage

    Note: Managed HSMs are available only in supported regions. Confirm regional availability before planning your deployment.

    How it works

    When you create a CMK with Protection Level set to Hsm:

    • Key metadata (key ID, state, aliases, tags) is managed through the KMS console and API.

    • Key material is generated and stored inside the managed HSM. It never leaves the hardware boundary in plaintext.

    • Cryptographic operations (encrypt, decrypt, sign, verify) are performed within the HSM.

    This separation means you manage keys through KMS as usual, while the hardware provides the isolation required for compliance.

    Create a CMK in the KMS console

    1. Log on to the KMS console.

    2. In the top navigation bar, select the region where you want to create the CMK.

    3. In the left-side navigation pane, choose Resource > Keys.

    4. Click Create Key.

    5. In the Create Key dialog box, configure the following parameters: KMS Instance, Key Spec, Purpose, Alias Name, Protection Level, Description, Rotation Period, and Key Material Source. Set Protection Level to Hsm to store the key material in a managed HSM. For details on all parameters, see Create a CMK.

    6. Click OK.

    After the CMK is created, verify the protection level in the Protection Level column on the Keys page.

    Create a CMK using Alibaba Cloud CLI

    1. Call the CreateKey operation with --ProtectionLevel HSM:

      aliyun kms CreateKey --ProtectionLevel HSM --Description "Key1 in Managed HSM"

    2. Call the DescribeKey operation to confirm the protection level:

      aliyun kms DescribeKey --KeyId 1234abcd-12ab-34cd-56ef-12345678****

      The response is similar to the following. Verify that ProtectionLevel is HSM:

      {
  "KeyMetadata": {
    "CreationDate": "2019-07-04T13:14:15Z",
    "Description": "Key1 in Managed HSM",
    "KeyId": "1234abcd-12ab-34cd-56ef-12345678****",
    "KeyState": "Enabled",
    "KeyUsage": "ENCRYPT/DECRYPT",
    "DeleteDate": "",
    "Creator": "151266687691****",
    "Arn": "acs:kms:cn-hongkong:151266687691****:key/1234abcd-12ab-34cd-56ef-12345678****",
    "Origin": "Aliyun_KMS",
    "MaterialExpireTime": "",
    "ProtectionLevel": "HSM"
  },
  "RequestId": "8eaeaa8b-4491-4f1e-a51e-f95a4e54620c"
}

    Import an external CMK to a managed HSM

    If your organization manages key material externally (for example, in an on-premises HSM), you can import it into a KMS managed HSM.

    Prerequisites

    Before you begin, ensure that you have:

    • An external CMK created with Protection Level set to Hsm

    • Key material prepared according to the Import key material in the KMS console guide

    Import process

    The import uses two API operations in sequence:

    1. `GetParametersForImport`: KMS generates a key pair inside the managed HSM and returns the public key. Use the public key to encrypt your external key material before sending it to KMS.

    2. `ImportKeyMaterial`: KMS imports the encrypted key material into the managed HSM and recovers the plaintext key material using the managed HSM's key unwrapping mechanism. The plaintext key material is never exposed outside the hardware boundary.

    Manage and use CMKs

    CMKs in managed HSMs support all standard KMS management and cryptographic operations:

    • Enable and disable CMKs

    • Manage the lifecycle of CMKs

    • Manage aliases of CMKs

    • Manage tags of CMKs

    • Call cryptographic API operations

    Integration with Alibaba Cloud services

    CMKs in managed HSMs work with Alibaba Cloud services that support server-side encryption (SSE) with user-managed CMKs, including Elastic Compute Service (ECS), ApsaraDB RDS, and Object Storage Service (OSS), by using the standard KMS API. To use HSM-backed encryption in one of these services, configure the service to use a CMK created in a managed HSM — no additional integration steps are required beyond standard SSE configuration.

    What's next