IBM Cloud®
FAQs: IBM Cloud Hardware Security Module
The IBM Cloud® HSM offering provides dedicated, single-tenant encryption, key management, and storage "as a service" using Hardware Security Modules (HSMs).
What is a Hardware Security Module (HSM)?
An HSM is hardware that processes cryptographic operations and does not allow encryption keys to leave the secure cryptographic environment. Data that is shared, stored, or in motion, is encrypted at its point of creation and you can run and maintain your own data protection policies in the cloud.
What Hardware Security Module does IBM Cloud rely on?
IBM® uses Thales SafeNet Luna Network HSM technology for the IBM Cloud® HSM 7.0 offering. This solution gives ease of access to IBM Cloud® data centers around the world that you can use to solve compliance and data sovereignty challenges.
Which version of IBM Cloud Hardware Security Module did I need to order?
In most cases, you need to order the newest version of an HSM. With older versions, you might have compatibility issues with high availability if you have older HSMs. If you already have older versions, contact support to determine which version is right for you.
Can I migrate my existing Hardware Security Module to a new version?
You can't migrate your HSM. Instead, cancel your existing HSM from the Devices menu, and order a new version.
Is IBM Cloud Hardware Security Module FIPS certified?
Yes, IBM Cloud HSM 7.0 is FIPS 140-2 Level 3 certified, and is designed to make sure that you receive a reliable and secure solution for the management of cryptographic assets.
What use cases can I address with IBM Cloud Hardware Security Module?
You can use IBM Cloud® HSM to support Public Key Infrastructure (PKI), code signing, database encryption, document signing, Digital Rights Management (DRM), authentication and authorization, and transaction processing.
How many partitions does my IBM Cloud Hardware Security Module support?
IBM Cloud HSM 7.0 supports up to 10 partitions.
How many keys can I store with IBM Cloud Hardware Security Module 7.0?
Key capacity is calculated by creating one partition and creating keys until the partition is full. All numbers are approximate. Capacity varies depending on specific key attributes set in the key generation template and the number of partitions.
| RSA Key size | Private keys | Key pairs |
|---|---|---|
| RSA-2048 | 12,000 | 9,500 |
| RSA-4096 | 6,500 | 5,200 |
| RSA-8192 | 3,300 | 2,700 |
| ECDSA Key size | Private keys | Key pairs |
|---|---|---|
| P-256 | 63,000 | 37,500 |
| P-384 | 58,000 | 33,000 |
| P-521 | 48,000 | 27,000 |
| BrainpoolP512r1 | 48,000 | 27,000 |
| P-521 | 48,000 | 27,000 |
| Symmetrical Key size | Keys |
|---|---|
| AES128 | 126,000 |
| AES256 | 112,000 |
| DES | 140,000 |
| 3DES | 123,000 |
How can I determine my IBM Cloud Hardware Security Model version?
Use the following steps to determine your HSM version.
- From the IBM Cloud console, go to your Resource list.
- From your Resource list, click Devices.
- Under Server details, the model type is listed as Luna Network HSM-SA7000 or Luna Network HSM-A750.
Can I configure high availability for my IBM Cloud Hardware Security Module?
Yes, to configure high availability across partitions of the IBM Cloud HSM by using secrets, see the Installation Guide for your HSM version. My Products. A login for the Thales Support Portal is required.
How can I back up my IBM Cloud Hardware Security Module configuration?
To back up your IBM Cloud HSM configuration, see the Appliance Administration Guide for your HSM version. You can find the appropriate Appliance Administration Guide from the My Products page on the Thales Portal.