This topic describes how to use managed HSMs to create and use customer master keys (CMKs).

Background information

You can use managed HSMs only in supported regions. For more information, see Supported regions.

Create a CMK in the Key Management Service (KMS) console

  1. Log on to the KMS console.
  2. In the top navigation bar, select the region in which you want to create a CMK.
  3. In the left-side navigation pane, click Keys.
  4. Click Create Key.
  5. In the Create Key dialog box, configure the KMS Instance, Key Spec, Purpose, Alias Name, Protection Level, Description, Rotation Period, and Key Material Source parameters.
    • We recommend that you set the Protection Level parameter to Hsm.
    • For more information about the parameters, see Create a CMK.
  6. Click OK.
    After the CMK is created, you can view the protection level of the CMK in the Protection Level column.

Create a CMK by using Alibaba Cloud CLI

  1. Call the CreateKey operation to create a CMK.
    aliyun kms CreateKey --ProtectionLevel HSM --Description "Key1 in Managed HSM"
  2. Call the DescribeKey operation to query the protection level of the CMK.
    aliyun kms DescribeKey --KeyId 1234abcd-12ab-34cd-56ef-12345678****

    Expected output:

      "KeyMetadata": {
        "CreationDate": "2019-07-04T13:14:15Z",
        "Description": "Key1 in Managed HSM",
        "KeyId": "1234abcd-12ab-34cd-56ef-12345678****",
        "KeyState": "Enabled",
        "KeyUsage": "ENCRYPT/DECRYPT",
        "DeleteDate": "",
        "Creator": "151266687691****",
        "Arn": "acs:kms:cn-hongkong:151266687691****:key/1234abcd-12ab-34cd-56ef-12345678****",
        "Origin": "Aliyun_KMS",
        "MaterialExpireTime": "",
        "ProtectionLevel": "HSM"
      "RequestId": "8eaeaa8b-4491-4f1e-a51e-f95a4e54620c"

Import an external CMK to a managed HSM

If you want to import an external CMK from user-managed key infrastructure to a managed HSM, you must set the Protection Level parameter to Hsm when you create the external CMK. For more information about how to create an external CMK, see Import key material in the KMS console.

When the import starts, KMS performs the following operations:
  • When you call the GetParametersForImport operation, KMS generates a key pair in a managed HSM to import the external CMK based on the Hsm protection level and returns the public key of the key pair.
  • When you call the ImportKeyMaterial operation, KMS imports the encrypted external key material to the managed HSM and then obtains the key material by using the key unwrapping mechanism of the managed HSM. The plaintext of the key material cannot be exported.

Manage and use CMKs

You can apply all the management and cryptographic features that are supported by KMS to the CMKs that are created in managed HSMs. The features allow you to perform the following operations:
  • Enable and disable CMKs.
  • Manage the lifecycle of CMKs.
  • Manage the aliases of CMKs.
  • Manage the tags of CMKs.
  • Call cryptographic API operations.

Integration with other Alibaba Cloud services

CMKs in managed HSMs can be used to protect native data in other Alibaba Cloud services, such as Elastic Compute Service (ECS), ApsaraDB RDS, and Object Storage Service (OSS), by using the standard KMS API. The prerequisite is that the Alibaba Cloud services support server-side encryption (SSE) by using user-managed CMKs. To use the server-side encryption feature, you need only to configure a CMK that is created in a managed HSM for an Alibaba Cloud service.