Prerequisites for the Direct Link Dedicated MACsec feature

Before you can enable and configure MACsec on IBM Cloud Direct Link Dedicated, there are several tasks that need to be completed. These prerequisites ensure that your network is properly prepared for secure communication over a dedicated Ethernet connection.

Verifying MACsec device readiness

Ensure that your MACsec-capable device is properly configured and supports the required encryption standards (such as AES) for your network setup. Verify that the device has the necessary hardware and software support for MACsec, and ensure that its ports or interfaces are configured to enable encryption.

Work with your network provider to select the appropriate data center or Point of Presence (PoP) and confirm that the necessary infrastructure and network connections are in place to support MACsec. Also, ensure that a key management system is in place for secure key exchange, and assess the performance impact to ensure that the device can handle encryption without affecting network speed.

Preparing for key exchange with Secrets Manager

Configure a Secrets Manager instance on IBM Cloud to manage the encryption keys and ensure that your device is ready for secure key exchange. To do so, follow these steps:

Make sure that you have met the following prerequisites:

You have an active Direct Link Dedicated connection with MACsec enabled.
You have access to an IBM Cloud Secrets Manager instance. For instructions, see Create a Secrets Manager service instance.
You have the necessary IAM permissions to manage secrets in Secrets Manager and configure Direct Link.
CAK material must meet MACsec requirements for length and format, as specified in MACsec prerequisites and limitations.

To prepare for key exchange with Secrets Manager, follow these steps:

Create a new secret in Secrets Manager:
1. Open your Secrets Manager instance in the IBM Cloud console and click Add secret.
2. Select Arbitrary secret as the secret type.
3. Enter a descriptive name for your MACsec key (for example, directlink-macsec-cak).
4. Paste or upload the CAK material in the Secret value field, then click Add to store the secret.
Configure IAM access for Direct Link:
1. Make sure that the Direct Link service has the necessary IAM role to read secrets from Secrets Manager.
2. Assign a Reader or custom role to the Direct Link service ID, scoped to the Secrets Manager instance containing the CAK.
Prepare Direct Link for MACsec key exchange:
1. Navigate to your Direct Link Dedicated connection in the IBM Cloud console and select MACsec configuration.
2. In the Connectivity Association Key (CAK) section, select Retrieve from Secrets Manager.
3. Select the previously created secret containing your CAK.
  
  Confirm that the secret value meets MACsec format requirements, as specified in MACsec prerequisites and limitations.
4. Click Save or Apply configuration to complete the key exchange preparation.
  
  Direct Link retrieves the CAK material from Secrets Manager and uses it to configure MACsec for your connection.
After saving the CAK secret, verify MACsec configuration:
1. Confirm that the MACsec status shows Active in the Direct Link dashboard.
2. Check that the connection status and encryption statistics indicate successful key exchange.

You should grant access to all keys in the Secrets Manager instance; otherwise, you must grant a new service-to-service authorization each time that you want to use a different key for Direct Link Dedicated with MACsec. As long as a key is in use by your gateway, it shouldn’t be deleted and the service-to-service authorization must not be revoked.

Preparing for key exchange with HPCS

Configure an HPCS instance on IBM Cloud to manage the encryption keys and ensure that your device is ready for secure key exchange. To do so, follow these steps:

Create a Hyper Protect Crypto Services (HPCS) instance on the standard plan with the Keep Your Own Key capability. For more information, see Provisioning service instances.
Initialize the HPCS instance and load the master keysAn encryption key that is used to protect a crypto unit. The master key provides full control of the hardware security module and ownership of the root of trust that encrypts the chain keys, including the root key and standard key..

For example, if you choose to use the IBM Cloud Trusted Key Entry (TKE) CLI, here are some basic steps:
- Provision the HPCS instance using the CLI.
- Set up key protect CLI.
- Initialize the HPCS instance and load the master keys.
- After HPCS instance setup, run the following commands:
```
export CLOUDTKEFILES=~/tke-files
ibmcloud target -r us-south -g Default
```
- Then, initialize the HPCS instance using the following series of commands:
```
ibmcloud tke cryptounit-add
ibmcloud tke sigkey-add
ibmcloud tke sigkey-sel
ibmcloud tke cryptounit-admin-add
ibmcloud tke cryptounit-thrhld-set
ibmcloud tke mk-add --random
ibmcloud tke mk-add --random
ibmcloud tke cryptounit-mk-load
ibmcloud tke cryptounit-mk-load
ibmcloud tke cryptounit-mk-commit
ibmcloud tke cryptounit-mk-setimm
```
  For more information, see Creating and importing encryption keys.
After initializing the HPCS instance, add standard keys (using the Import a key option) for any keys that you want to use with MACsec; for example, add a standard key for the primary CAK. Optionally, it is a good idea to configure MACsec with a fallback CAK. To do this, you must add a fallback key to the HPCS instance as well. To add a key, see Hyper Protect Crypto Services catalog page. For instructions, see Getting started with IBM Cloud Hyper Protect Crypto Services.

The key material that you choose must follow specific MACsec conventions. The key material must be a 64-character hexadecimal string. Note that if you have 32 characters, you can add trailing 0000s to make up the 64 character length. To import the key material into the HPCS instance, it must be base64-encoded.

This HPCS key is used as the CAK value. When configuring MACsec, you are asked for a CAK name to pair with this key. The same key value pair must be configured on the MACsec keystore on the customer device.

You must configure the same name and key octet string (value) on your switch. Otherwise, the MACsec key negotiation fails.
After creating keys for Direct Link, you must use IBM Cloud Identity and Access Management (IAM) to grant authorization between your Secrets Manager or HPCS instance and the Direct Link service. For instructions, see Using authorizations to grant access between services. The Direct Link service will never access any key besides those used for the MACsec feature.

Due to known limitations, you must grant access at the HPCS instance level, which grants the Direct Link service access to all the keys inside that instance.

You should grant access to all keys in the HPCS instance; otherwise, you must grant a new service-to-service authorization each time that you want to use a different key for Direct Link Dedicated with MACsec. As long as a key is in use by your gateway, it shouldn’t be deleted and the service-to-service authorization must not be revoked.