The 30-second summary
AWS KMS GenerateRandom returns random bytes generated inside an AWS-managed FIPS 140-2 HSM. It's the right primitive when your compliance posture specifically requires HSM-sourced entropy, or when you're already inside AWS's trust boundary for key material.
Provable.io is not an HSM. It's a commit-reveal API: the server publishes a hash of its seed before the draw, then reveals it, and anyone can re-derive the bytes. Different trust model — "trust the AWS HSM" vs "trust the open-source verifier."
Feature matrix
| Capability | Provable.io | AWS KMS GenerateRandom |
|---|---|---|
| Trust model | Re-derive from published seed + hash | Trust AWS-managed HSM |
| Verifiable to a third party | Yes | No — bytes are just bytes |
| Pre-commitment | Yes | No |
| Reproducible from seed | Yes | No |
| Entropy source | HMAC-SHA256 over committed seeds | FIPS 140-2 validated HSM |
| Cost | Free up to per-account daily quota | Per-request KMS API charge |
| IAM / network surface | API key or anonymous | Requires AWS credentials & KMS permissions |
| Game primitives | dice, shuffle, weighted pick, distributions | Raw bytes only |
| Best for | Public-audience draws that need proof | HSM-sourced key material inside AWS |
When AWS KMS GenerateRandom is the right answer
KMS GenerateRandom is the right primitive when you actually need HSM-backed entropy:
- Generating cryptographic key material in a FIPS 140-2 environment.
- Compliance regimes that require HSM-sourced random bytes.
- You're already inside AWS's trust boundary for the rest of your secret material.
When Provable.io is the right answer
KMS doesn't publish a proof — the bytes are unobservable from outside your account. Reach for Provable.io when:
- An external party has to verify the draw — raffles, A/B buckets, gacha pulls. See raffle picker.
- You don't want to pay per call. KMS bills per request; Provable.io's free tier covers most app workloads.
- You need higher-level primitives. See dice & coins.
Try it now
Same shape as kms.GenerateRandom({ NumberOfBytes: 32 }) — except the bytes carry a published proof.
curl "https://api.provable.io/api/bytes?clientSeed=vs-aws-kms-demo&count=32&encoding=hex"FAQ
Is HSM entropy stronger than HMAC-SHA256?
For practical key-generation purposes, both are computationally indistinguishable from uniform. The HSM matters for compliance ("entropy came from a certified module"); the HMAC stream matters for verifiability ("anyone can re-derive these bytes").
Can I use both?
Yes — call KMS for key material, Provable.io for any draw a third party will audit. They answer different questions.
What about GCP Cloud KMS?
Same general comparison applies — see the dedicated page.