Updated on 2026-07-16 GMT+08:00

Functions

Dedicated HSM is a cloud service used for encryption, decryption, signature, signature verification, key generation, and the secure storage of keys.

Dedicated HSM provides encryption hardware, guaranteeing data security and integrity on Elastic Cloud Servers (ECSs) and meeting FIPS 140-2 requirements. Dedicated HSM offers you a secure and reliable management for the keys generated by your instances, and uses multiple algorithms for data encryption and decryption.

For details about the cryptographic algorithms and HSMs supported by Dedicated HSM, see DHSM Overview.

Concepts

Learn more about the following concepts before you begin:

Dedicated HSM Cluster

You can use the dedicated HSM cluster to manage the lifecycle of keys whenever you need. KMS uses a dedicated keystore to support the HYOK function, allowing users to control their master keys. Customer master keys (CMKs) are not separated from HSMs, and cryptographic operations are completed in HSMs.

Dedicated HSM provides the following capabilities:

  • Generation, storage, import, export, and management of encryption keys (both symmetric and asymmetric keys)
  • Data encryption and decryption by using symmetric and asymmetric algorithms
  • Using cryptographic hash functions to calculate message digests and hash-based message authentication code
  • Signing data and code in encrypted mode and verifying signature
  • Random data generation in encrypted mode

HSM

A hardware security module (HSM) is a dedicated hardware device that securely generates, stores, and manages encryption keys. It provides a highly secure, tamper-resistant environment for keys and cryptographic operations to prevent unauthorized access.

  • Virtual HSM: Shares hardware resources in a multi-tenant environment. It meets FIPS 140-2 Level 3 certification and standard cryptographic requirements. It is ideal for small- to medium-sized enterprises (SMEs) with moderate performance needs.
  • Dedicated HSM: Offers exclusively occupied, physically isolated hardware resources. It complies with FIPS 140-2 Level 3 (or Level 4) certification and features an anti-tamper physical design. It is ideal for large enterprises and financial institutions requiring high-throughput, low-latency, and financial-grade security.