Help Center/ Data Encryption Workshop/ User Guide/ Dedicated HSM/ Using Dedicated HSM Instances
Updated on 2024-05-15 GMT+08:00

Using Dedicated HSM Instances

After your payment is complete, please wait for us to send the Ukey used for initializing the Dedicated HSM instance to your email address. A Dedicated HSM service expert will also contact you and send related documents and software, including the tool used for managing Dedicated HSM instances, and the security agent and SDK used for service calls.

Prerequisites

After configuring a Dedicated HSM instance, you need to initialize the instance, install the security agent, and grant access permissions. The following information is required.

Table 1 Required information

Item

Description

How to Obtain

Ukey

Stores the permission management information about the instance.

After the order is paid and the Dedicated HSM instance is configured, the Ukey will be sent to the recipient email address your provided.

Dedicated HSM instance management tool

Works with the UKey to remotely manage instances.

A service expert will also contact you and send related documents and software.

Dedicated HSM instance documents

Dedicated HSM Instance User Manual and Dedicated HSM Instance Installation Guide

Security agent software

Establishes a secure connection with the instance.

SDK

Provides APIs for Dedicated HSM. You can use the SDK to establish secure connections with instances.

Dedicated HSM instance management node (for example, an ECS)

Run the Dedicated HSM instance management tool, which is in the same VPC where the Dedicated HSM instance resides, and allocate elastic IP addresses for remote connections.

Purchase ECSs as needed. For details, see Purchasing an ECS.

Service application nodes (for example, ECSs)

Run the security agent software and users' service applications, which must be in the VPC where the Dedicated HSM instance is deployed.

Initializing a Dedicated HSM Instance

Currently, you cannot log in to Dedicated HSM instances via SSH. You need to use the Dedicated HSM instance management tool to manage the instances.

Assume you want to use a Windows ECS as the Dedicated HSM instance management node. Perform the following steps to initialize the Dedicated HSM instance:

  1. Purchase a Windows ECS as the Dedicated HSM instance management node.

    1. Log in to the management console.
    2. Click . Choose Computing > Elastic Cloud Server.
    3. Click Buy ECS.
      • Set Region and AZ to the same as those of the Dedicated HSM instance you purchased.
      • Set Image to a Windows public image.
      • Set VPC to the VPC where the Dedicated HSM instance belongs.

        EIP: Bind an EIP to use the HSM as an instance locally. For details about how to bind an EIP, see How Do I Enable Public Access to a Dedicated HSM Instance?.

        After the Dedicated HSM instance is initialized, you can unbind from the elastic IP address. The binding and unbinding operations can be performed whenever needed.

      • Set other parameters based on the site requirements.

  2. Initialize the Dedicated HSM instance by using the received management tool and related documents.
  3. After the initialization is complete, you can use the management tool to generate, destroy, back up, and restore keys.

    If you have any questions during initialization and management, consult the Dedicated HSM service expert.

    For more information, see the documents about Dedicated HSM instance: Dedicated HSM Instance User Manual and Dedicated HSM Instance Installation Guide.

Installing the Security Agent and Granting Access Permissions

You need to install the security agent on a service application node to establish a secure channel to the Dedicated HSM instance.

  1. Download the certificate for accessing the Dedicated HSM instance from the management tool.
  2. Install the security agent on the service application node.
  3. Import the certificate to the security agent. Grant the service application the permission to access the Dedicated HSM instance.
  4. The service application can access the Dedicated HSM instance through SDK or APIs.

    You can configure multiple Dedicated HSM instances in the security agent to balance loads.