Overview

Dedicated HSM is devoted to provide customers with independent cryptographic resources and customized services to meet specific service and security requirements. Generally, it includes:

Independent cryptographic resources: You can use exclusive resources, such as HSMs and KMS, to ensure the independence and security of encryption operations.
Customized cryptographic policies: You can customize cryptographic algorithms, key management policies, and access control policies as required.
Data isolation: Ensure that your data is completely separated from the data of other users through physical or logical isolation to prevent data leakage.

Restrictions

Dedicated HSM instances must be used together with VPC. After a Dedicated HSM instance is created, you need to configure its VPC, security group, and NIC on the management console before using it.
To manage Dedicated HSM instances, you need to deploy the Dedicated HSM management tool in the same VPC as the instances.

Supported Cryptography Algorithms

You can use international common cryptographic algorithms to meet various user requirements.

**Table 1** Supported cryptography algorithms
Category	Common Cryptographic Algorithm
Symmetric cryptographic algorithm	AES
Asymmetric cryptographic algorithm	RSA, DSA, ECDSA, DH, and ECDH
Digest algorithm	SHA1, SHA256, and SHA384

Supported HSMs

**Table 2** Supported HSMs
HSM Type	Function	Scenario
Cloud HSM	Data encryption and decryption Data signature and verification Data digest Generation and verification of MAC addresses	Basic password calculations in applications of a wide range of industries, such as identity authentication, data protection, SSL keys, and computation offloading.
Financial HSM	Generation, encryption, conversion, and verification of personal identification number (PIN) Generation and verification of Media Access Control (MAC) Generation and verification of Card Verification Value (CVV) Generation and verification of Type Allocation Code (TAC) Typical Racal instruction set People's Bank of China (PBOC) 3.0 common instruction set	Cryptographic calculation in financial systems, such as card issuing systems and point of sale (POS) systems
Signature verification server	Signing and signature verification Encoding and decoding of digital envelopes Encoding and decoding of signed digital envelopes Certificate verification	Signature usage in Certificate Authority (CA) systems, certificate verification, encrypted transmission of a large amount of data, and identity authentication

Operation Guide

To use Dedicated HSM on the cloud, you can create Dedicated HSM instances through the management console. After a Dedicated HSM instance is created, you will receive the UKey sent by Dedicated HSM. You need to use the UKey to initialize and control the instance. You can use the management tool to authorize service applications the permission to access Dedicated HSM instances. Figure 1 illustrates the operation flow.

Figure 1 Operation Guide
Click to enlarge

Table 3 describes the operation guide.

**Table 3** Operation guide descriptions
No.	Procedure	Description	Operated By
1	Create a Dedicated HSM instance.	Create an instance on the Dedicated HSM management console. Huawei Cloud security team will evaluate your use scenarios to ensure that the instance meets your service requirements. Then you can pay for the ordered instance.	User
2	Activate a Dedicated HSM instance.	After an instance is purchased, you need to configure the instance on the management console. You need to select the VPC where the instance belongs and the function type of the instance. For details, see Activating a Dedicated HSM Instance.	User
3	Allocate a Dedicated HSM instance.	A security expert will contact you through the contact information you provided and determine whether the instance ordered meets your service requirements. The instance will be allocated after the expert reviews and confirms your order.	Dedicated HSM security expert
4	Obtain the UKey, initialization documents, and software.	A security expert sends the Ukey to the email address you provided. A UKey is the only identifier of a Dedicated HSM user. Keep it properly. A security expert will provide you with the software and guide for initializing Dedicated HSM instances. If you have any questions, contact the expert. NOTE: You can submit a service ticket to provide the Ukey recipient address and contact security experts for guidance.	Dedicated HSM security expert
5	Initialize and manage instances (involving UKey authentication).	Install the tool for managing Dedicated HSM instances on the instance management node. Use the UKey and the management tool to initialize the Dedicated HSM instance, and register an administrator to manage the Dedicated HSM instance and the key. For details, see Initializing a Dedicated HSM Instance.	User
6	Install the security agent and granting access permissions.	Install and initialize the security agent on service application nodes. For details, see Installing the Security Agent and Granting Access Permissions.	User
7	Access the instance.	Service applications access the Dedicated HSM instances through APIs or SDK.	User

Dedicated HSM and CPCS

Dedicated HSM and CPCS are both used for encryption and security assurance. However, their functions, applications, and management methods differ. For details, see Table 4.

**Table 4** Differences and connections between Dedicated HSM and CPCS
Service	Dedicated HSM	CPCS
Function	Dedicated HSMs are provided for users to enjoy exclusive resources. The main functions include encryption, decryption, signature, signature verification, key generation, and secure storage. Multiple algorithms certified by CSCA are supported. It can be used for scenarios that require high security and performance, such as financial payment and electronic signature.	A one-stop cryptographic service management platform is provided. Cluster deployment is supported. The main functions include not only encryption, decryption, signature, and signature verification, but also key management, timestamp, electronic seal, and database encryption.
Application	Used for scenarios that require high data security and performance, such as financial payment, electronic signature, and securities services. Applicable to enterprises and organizations that meet regulatory compliance requirements.	Applicable to enterprises and organizations that require multiple cryptographic services and need to pass the cryptography test quickly. Used for scenarios that require multiple cryptographic services, such as electronic contracts, electronic invoices, and electronic medical records.
Management method	You can perform initialization and permission management by managing the client. Hardware resources of high security are provided. You have full control over the generation, storage, and access authorization of keys.	Central management on the console is provided. Automatic deployment and monitoring are supported. Cluster deployment is supported, and elastic scaling and application-level isolation are supported.
Connection	Mutual goal: Provide secure cryptographic services to protect data security and integrity. Integration and complementarity: These two services can be integrated in certain scenarios. For example, Dedicated HSM can be used as the underlying cryptographic resource of CPCS, providing high-performance encryption computing support.