IBM Cloud Hyper Protect Crypto Services

IBM Cloud Hyper Protect Crypto Services is a dedicated key management service and

Hardware Security Module (HSM) that provides you with the Keep Your Own Key capability for cloud data encryption. Built on FIPS 140-2 Level 4 certified hardware, Hyper Protect Crypto Services allows you to have exclusive control of your encryption keys.

Watch the following video to learn how Hyper Protect Crypto Services provides you with exclusive encryption key control and data protection in the cloud:

Why IBM Cloud Hyper Protect Crypto Services?

Data and information security is crucial and essential for IT environments. As more data moves to the cloud, keeping data protected becomes a non-trivial challenge. Built on IBM LinuxONE technology, Hyper Protect Crypto Services helps ensure that only you've access to your keys and data. A single-tenant key management service with key vaulting that is provided by dedicated customer-controlled HSMs helps you easily create and manage your encryption keys. Alternatively, you can bring your own encryption keys to the cloud. The service uses the same key-provider API as Key Protect, a multi-tenant key management service, to provide a consistent approach to adopting IBM Cloud services.

Hyper Protect Crypto Services is a dedicated HSM that is controlled by you. IBM Cloud administrators have no access. The service is built on FIPS 140-2 Level 4-certified hardware, the highest offered by any cloud provider in the industry. IBM is the first to provide cloud command-line interface (CLI) for HSM

master key initialization to help enable you to take ownership of the cloud HSM. We can also load the master key with the IBM Hyper Protect Crypto Services Management Utilities. The Management Utilities create and store your master key parts on smart cards and never exposes your secrets to the workstation and cloud, thus ensuring the highest level of protection to your secrets.

Hyper Protect Crypto Services can integrate with IBM Cloud data and storage services as well as VMware vSphere and VSAN, for providing data-at-rest encryption.

The managed cloud HSM supports the industry-standard cryptographic operations by using the Public-Key Cryptography Standards (PKCS) #11. You don't need to change your existing applications that use PKCS #11 standard to make it run in the Hyper Protect Crypto Services environment. The PKCS #11 library accepts the PKCS #11 API requests from your applications and remotely accesses the cloud HSM to execute the corresponding cryptographic functions, such as digital signing and validation. For more information about the PKCS #11 API, see Introducing PKCS #11 and PKCS #11 API reference.

Enterprise PKCS #11 over gRPC (GREP11) is also supported by Hyper Protect Crypto Services. The EP11 library provides an interface similar to the industry-standard PKCS #11 application programming interface (API). For more information about the GREP11 API, see Introducing EP11 over gRPC and GREP11 API reference.

With the built-in encryption of Hyper Protect Crypto Services, you can easily build cloud applications with sensitive data. Hyper Protect Crypto Services provides you with complete control of your data and encryption keys, including the master key. The service also helps your business meet regulatory compliance with the technology that provides exclusive controls on the external and privileged user access to data and keys.

How does Hyper Protect Crypto Services work?

For an architectural diagram of Hyper Protect Crypto Services, see Service architecture, workload isolation, and dependencies.

The following are a few highlights of the Hyper Protect Crypto Services architecture:

• Applications connect to Hyper Protect Crypto Services through the PKCS #11 API or the GREP11 API.
• Dedicated keystore in Hyper Protect Crypto Services is provided to ensure data isolation and security. Privileged users are locked out for protection against abusive use of system administrator credentials or root user credentials.
• Secure Service Container (SSC) provides the enterprise level of security and impregnability that enterprise customers expect from IBM LinuxONE technology.
• FIPS 140-2 Level 4 compliant cloud HSM is enabled for highest physical protection of secrets.

Key features

Hyper Protect Crypto Services provides both key management and cloud HSM functions:

Key management service

• Key lifecycle management

  Hyper Protect Crypto Services provides a single-tenant key management service that allows you to create, import, rotate, and manage keys with the standardized API. After the encryption keys are deleted, you can be assured that your data is no longer retrievable.

• Encryption for IBM Cloud data and workload services

  By integrating with other IBM Cloud services, Hyper Protect Crypto Services offers the capability of bringing your own encryption to the cloud. The service provides double-layer protection for your cloud data by wrapping the encryption keys that are associated with your cloud services.

Cloud hardware security module

• Customer-controlled HSM

  With Keep Your Own Key, Hyper Protect Crypto Services allows you to take the ownership of the HSM through assigning your own administrators and loading master keys. This ensures your full control of the entire key hierarchy with no access even from IBM Cloud administrators.

• Cryptographic operations

  Hyper Protect Crypto Services supports the standard PKCS #11 API and the Enterprise PKCS #11 over gRPC (GREP11) API for cryptographic operations. The operations include generating keys, encrypting and decrypting data, signing data, and verifying signatures. The cryptographic functions are executed in HSMs and can be accessed through APIs to provide hardware-based protection for your applications.

• Security certification

  The service is built on FIPS 140-2 Level 4-certified hardware, the highest security level that is offered in the industry. The HSM is also certified to meet the Common Criteria Part 3 conformant EAL 4.

Integration with Cloud Identity and Access Management and IBM Cloud Activity Tracker with LogDNA

Hyper Protect Crypto Services integrates with Cloud Identity and Access Management (IAM) to enable your granular control over user access to service resources. We can also monitor and audit events and activities of Hyper Protect Crypto Services by using IBM Cloud Activity Tracker with LogDNA.

What's next

• To get an overall tutorial about using Hyper Protect Crypto Services, check out Getting started with IBM Cloud Hyper Protect Crypto Services.
• To find out more about programmatically managing your keys, check out the Hyper Protect Crypto Services key management API reference doc.
• To find out more about encrypting your data by using the cloud HSM function of Hyper Protect Crypto Services, check out the PKCS #11 API reference and GREP11 API reference.
• For more information about the compliance certificates that Hyper Protect Crypto Services receives, see Security and compliance.

Let us know your feedback by taking a one-minute survey.