Skip to content
Navigation Menu

IBM Cloud

  • CatalogCatalog
  • Cost EstimatorCost Estimator
    • HelpHelp
      • Docs
  • Log in
  • Sign up
  • Catalog
  • Cost Estimator
  • Help
    • Docs

  • Navigation settings

Error

Change theme

This feature is in early stage, some parts of the platform might not fully support different themes yet.

Themes
  1. Catalog

Hyper Protect Crypto Services

Keep Your Own Key for cloud data encryption with a dedicated key management service built on FIPS 140-2 Level 4 certified HSM.

  • Date of last update: 07/24/2024
  • Docs
  • API docs
  • Service
  • IBM
  • 07/24/2024
  • Security
  • Financial Services Validated
  • IAM-enabled
  • Washington DC (us-east)
  • Dallas (us-south)
  • Madrid (eu-es)
  • Sao Paulo (br-sao)
  • Toronto (ca-tor)
  • Frankfurt (eu-de)
  • London (eu-gb)
  • Tokyo (jp-tok)
  • API docs
  • Docs
  • Terms

Pricing plans

Prices shown are for country or location: United States
PlanFeatures and capabilitiesPricing
Unified Key Orchestrator
  • Keep your own keys in IBM Cloud and use them for multicloud encryption
  • New experience with optional key management across cloud environments
Multi-Tiered
Financial Services Validated
Click to view tiers and pricing detail

For distinct access to your key management service keys, keys can be created in separate vaults. Vaults are secure repositories for your cryptographic keys and keystores. A managed key or keystore can only be in one vault at a time. A managed key can only be used for encryption and decryption when it is installed in at least one keystore. You can install a managed key in multiple keystores, internal or external, even across clouds such as Azure, AWS, and Google Cloud Platform. Manage the lifecycle of the managed key from the vault. When you make changes to the managed key, the vault keeps its all installed keys in sync. You can have up to 5 free internal keystores and 1 free external keystore. The Unified Key Orchestrator hourly base price is applied as soon as you connect to an external keystore for the service instance.

$5.15 USD/Unified Key Orchestrator Hour
$2.1939 USD/Crypto Unit Hour
Tiers
Pricing
1 - 15
$72.10 USD/External Keystore
16 - 40
$46.35 USD/External Keystore
41 - 110
$36.05 USD/External Keystore
110+
$25.75 USD/External Keystore
Tiers
Pricing
1 - 15
$231.75 USD/Internal Keystore
16 - 40
$216.30 USD/Internal Keystore
41 - 110
$195.70 USD/Internal Keystore
110+
$133.90 USD/Internal Keystore
  • Keep your own keys in IBM Cloud and use them for multicloud encryption
  • New experience with optional key management across cloud environments
Financial Services Validated

For distinct access to your key management service keys, keys can be created in separate vaults. Vaults are secure repositories for your cryptographic keys and keystores. A managed key or keystore can only be in one vault at a time. A managed key can only be used for encryption and decryption when it is installed in at least one keystore. You can install a managed key in multiple keystores, internal or external, even across clouds such as Azure, AWS, and Google Cloud Platform. Manage the lifecycle of the managed key from the vault. When you make changes to the managed key, the vault keeps its all installed keys in sync. You can have up to 5 free internal keystores and 1 free external keystore. The Unified Key Orchestrator hourly base price is applied as soon as you connect to an external keystore for the service instance.

$5.15 USD/Unified Key Orchestrator Hour
$2.1939 USD/Crypto Unit Hour
Tiers
Pricing
1 - 15
$72.10 USD/External Keystore
16 - 40
$46.35 USD/External Keystore
41 - 110
$36.05 USD/External Keystore
110+
$25.75 USD/External Keystore
Tiers
Pricing
1 - 15
$231.75 USD/Internal Keystore
16 - 40
$216.30 USD/Internal Keystore
41 - 110
$195.70 USD/Internal Keystore
110+
$133.90 USD/Internal Keystore
Standard
  • Keep your own keys
  • Scalable performance with additional units
Multi-Tiered
Financial Services Validated
Click to view tiers and pricing detail
  • Service
  • IBM
  • 07/24/2024
  • Security
  • Financial Services Validated
  • IAM-enabled
  • Washington DC (us-east)
  • Dallas (us-south)
  • Madrid (eu-es)
  • Sao Paulo (br-sao)
  • Toronto (ca-tor)
  • Frankfurt (eu-de)
  • London (eu-gb)
  • Tokyo (jp-tok)
  • API docs
  • Docs
  • Terms

Summary

A dedicated key management service and Hardware Security Module (HSM) provides you with the Keep Your Own Key capability for cloud data encryption. Built on FIPS 140-2 Level 4 certified hardware, Hyper Protect Crypto Services provides you with exclusive control of your encryption keys. With Unified Key Orchestrator, you can connect your service instance to keystores in IBM Cloud and third-party cloud providers, back up and manage keys using a unified system, and orchestrate keys across multiple clouds.

Features and capabilities

1. Key Management
Key lifecycle management

Hyper Protect Crypto Services provides a single-tenant key management service that allows you to create, import, rotate, and manage keys with standardized APIs. Once the encryption keys are deleted, you can be assured that your data is no longer retrievable.

Encryption for IBM Cloud services

By integrating with other IBM Cloud services, Hyper Protect Crypto Services offers the capability of bringing your own encryption to the cloud. The service provides double-layer protection for your cloud data by wrapping the encryption keys associated with your cloud services.

Access management and auditing

Hyper Protect Crypto Services integrates with IBM Cloud Identity and Access Management (IAM) to enable your granular control over user access to service resources. You can also monitor activities of Hyper Protect Crypto Services using IBM Cloud Activity Tracker with LogDNA service.

2. Cloud HSM
Customer-controlled HSM

With Keep Your Own Key, Hyper Protect Crypto Services allows you to take the ownership of the HSM through assigning your own administrators and loading master keys. This ensures your full control of the entire key hierarchy where no IBM Cloud administrators have access to your keys.

Cryptographic operations

Hyper Protect Crypto Services supports Enterprise PKCS #11 for cryptographic operations. This includes generating keys, encrypting and decrypting data, signing data, and verifying signatures. The cryptographic functions are executed in HSMs and can be accessed through APIs to provide hardware-based protection for your applications.

Security certification

The service is built on FIPS 140-2 Level 4-certified hardware, the highest offered by any cloud provider in the industry. The HSM is also certified to meet the Common Criteria Part 3 conformant EAL 4.

3. Unified Key Orchestrator
Connection to external keystores

Unified Key Orchestrator provides key lifecycle management according to NIST recommendations and secure transfer of keys to internal keystores in the service instance or external keystores. You can push your keys to third-party cloud keystores, such as Azure Key Vault, AWS Key Management Service (KMS), Google Cloud KMS, or IBM Key Protect for IBM Cloud, distribute keys across keystores, and manage keys and keystores through both the UI and REST API.

Unified key backup and management system

Unified Key Orchestrator enables you to back up all keys in IBM Cloud. You can redistribute keys through your Hyper Protect Crypto Services instance to quickly recover from fatal cloud errors. And at the same time, you own the root trust of your key hierarchy.

Key orchestration across multiple clouds

You can orchestrate keys through a single and unified user experience across multiple clouds with an auditable key lifecycle orchestration mechanism.

Compliance: GDPR, HIPAA, ISO 27001/27017/27018, SOC 2 Type 1, IRAP, IBM Cloud for Financial Services

Getting support


If you're experiencing issues with this product, go to the IBM Cloud Support Center and navigate to creating a case. Use the All products option to search for this product to continue creating the case or to find more information about getting support. Third party and community supported products might direct you to a support process outside of IBM Cloud.

Summary

Hyper Protect Crypto Services

  • Plan: Unified Key Orchestrator
Already have an account? Log in