A dedicated key management service and Hardware Security Module (HSM) provides you with the Keep Your Own Key capability for cloud data encryption. Built on FIPS 140-2 Level 4 certified hardware, Hyper Protect Crypto Services provides you with exclusive control of your encryption keys. With Unified Key Orchestrator, you can connect your service instance to keystores in IBM Cloud and third-party cloud providers, back up and manage keys using a unified system, and orchestrate keys across multiple clouds.

Hyper Protect Crypto Services provides a single-tenant key management service that allows you to create, import, rotate, and manage keys with standardized APIs. Once the encryption keys are deleted, you can be assured that your data is no longer retrievable.

By integrating with other IBM Cloud services, Hyper Protect Crypto Services offers the capability of bringing your own encryption to the cloud. The service provides double-layer protection for your cloud data by wrapping the encryption keys associated with your cloud services.

Hyper Protect Crypto Services integrates with IBM Cloud Identity and Access Management (IAM) to enable your granular control over user access to service resources. You can also monitor activities of Hyper Protect Crypto Services using IBM Cloud Activity Tracker with LogDNA service.

With Keep Your Own Key, Hyper Protect Crypto Services allows you to take the ownership of the HSM through assigning your own administrators and loading master keys. This ensures your full control of the entire key hierarchy where no IBM Cloud administrators have access to your keys.

Hyper Protect Crypto Services supports Enterprise PKCS #11 for cryptographic operations. This includes generating keys, encrypting and decrypting data, signing data, and verifying signatures. The cryptographic functions are executed in HSMs and can be accessed through APIs to provide hardware-based protection for your applications.

The service is built on FIPS 140-2 Level 4-certified hardware, the highest offered by any cloud provider in the industry. The HSM is also certified to meet the Common Criteria Part 3 conformant EAL 4.

Unified Key Orchestrator provides key lifecycle management according to NIST recommendations and secure transfer of keys to internal keystores in the service instance or external keystores. You can push your keys to third-party cloud keystores, such as Azure Key Vault, AWS Key Management Service (KMS), Google Cloud KMS, or IBM Key Protect for IBM Cloud, distribute keys across keystores, and manage keys and keystores through both the UI and REST API.

Unified Key Orchestrator enables you to back up all keys in IBM Cloud. You can redistribute keys through your Hyper Protect Crypto Services instance to quickly recover from fatal cloud errors. And at the same time, you own the root trust of your key hierarchy.

You can orchestrate keys through a single and unified user experience across multiple clouds with an auditable key lifecycle orchestration mechanism.