Managing your keys with BYOHSM in IBM Cloud Hyper Protect Crypto Services
IBM Cloud® Hyper Protect Crypto Services is a dedicated key management service based on IBM Cloud. With the Bring Your Own HSM (BYOHSM) function in Hyper Protect Crypto Services, you can use your own on-premises HSMs to generate encryption keys instead of using IBM-provided cloud HSMs, while still leveraging the single-tenant cloud key management service provided by Hyper Protect Crypto Services.
The Bring Your Own HSM (BYOHSM) function is available only in the Standard Plan service instances in the VPC-based regions. For the VPC region list, see Regions and locations.
BYOHSM extends your local key management capability to the cloud and creates a scalable, unified, and secure hybrid cloud ecosystem for your regulated workloads. By connecting your own HSMs to Hyper Protect Crypto Services, you have complete physical control over your keys to meet the data sovereignty regulations.
Objectives
This tutorial shows how you basic steps to manage keys with BYOHSM in Hyper Protect Crypto Services.
Before you begin
To use the BYOHSM function of Hyper Protect Crypto Services, make sure that you have a Pay-As-You-Go or Subscription IBM Cloud account. For details about the IBM Cloud account types, see Account types.
- To check your account type, log in to IBM Cloud and click Management > Account > Account settings.
- If you have a Lite account, make sure to upgrade your account to a Pay-As-You-Go or Subscription account.
Task flow
Get started with BYOHSM by completing the following steps:
- Before you begin
- Step 1: Purchase and set up your on-premises HSMs
- Step 2: Configure and deploy your HSMs to work with Hyper Protect Crypto Services
- Step 3: Contact IBM to get the required information
- Step 4: Provision a Hyper Protect Crypto Services instance with BYOHSM
- Step 5: Use your Hyper Protect Crypto Services instance with BYOHSM
Purchase and set up your on-premises HSMs
If you don't have an HSM for your enterprise, purchase one to connect to your Hyper Protect Crypto Services instance and enable the BYOHSM function. Currently, only Thales SafeNet Luna Network A730 and A750 model HSMs are supported. For more information, see supported types of HSMs. Make sure that you complete the initial setup based on your providers guidelines.
To achieve high availability, it is suggested to prepare and use at least two HSMs.
Configure and deploy your HSMs to work with Hyper Protect Crypto Services
-
Create an application partition in each HSM to store cryptographic objects and perform operations. For more information, see Creating partitions.
-
Create the following keys that are needed to establish a secure HSM connection. For more information, see Creating keys.
Table 1. Keys needed for Bring Your Own HSM Key type Description Master Key Encryption Key (MKEK) (256-bit AES key) A root level encryption key for wrapping and unwrapping instance keys in Hyper Protect Crypto Services. Signing key (SKEY) (256-bit AES key) Used for signing and verification of instance keys and user keys in Hyper Protect Crypto Services. Import Key (IKEY) (192-bit DES3 key) Used to encrypt and decrypt the key materials to be imported into Hyper Protect Crypto Services. Transit Key Encryption Keys (TKEKs) (10 pairs of RSA asymmetric keys) Used to securely import your own keys into Hyper Protect Crypto Services. -
Prepare the network to connect the on-premises HSMs to your Hyper Protect Crypto Services instance. For more information about how to achieve better network performance, see Network connectivity best practice.
-
Collect the following information that you need to provide when you contact IBM in Step 3.
Table 2. Information needed for Bring Your Own HSM Attribute Description HSM IP address The IP address of your HSM. HSM server certificate The NTLS communications that are used by the Thales HSM require certificate exchanges between the HSM and Hyper Protect Crypto Services. You need to create a TLS certificate on your HSM and provide the certificate for Hyper Protect Crypto Services to verify communications from the HSM. Partition label The name of the application partition that you create for Hyper Protect Crypto Services to use. Partition crypto officer password The credential for Hyper Protect Crypto Services to log in to the corresponding application partition to perform key operations. Master key label The label or name of the Master Key Encryption Key (MKEK). The label is used by Hyper Protect Crypto Services to refer to the master key in PKCS #11 API calls. Signing key label The label or name of the Signing key (SKEY). It is used for data authentication such as data signing and verification. Import key label The label or name of the Import key (IKEY). Hyper Protect Crypto Services uses this key to encrypt or decrypt key materials to be imported. Transit Key Encryption Key label prefix The label prefix of the Transit Key Encryption Key that is used for securely importing your own keys.
Contact IBM to get the required information
Contact IBM by creating a support case to get the required information. Provide the information that you collect in Step 2 including the subnets where your HSMs can be reached. Each subnet corresponds to one Availability Zone (AZ).
IBM will then provide you with the following information:
- Your unique HSM connector ID. You need to provide the ID when you provision an instance in step 4.
- The VPC CRN. In your Transit Gateway configuration, you need to request a connection to the VPC CRN.
- The HSM client certificate. You need to install this certificate on your HSMs to ensure that the communications from Hyper Protect Crypto Services can be verified.
Provision a Hyper Protect Crypto Services instance with BYOHSM
Provision a Hyper Protect Crypto Services instance on the service catalog page with the following field values:
- Under Select a pricing plan, select Standard.
- Under Select a location, select a VPC-based region. For the VPC region list, see Regions and locations.
- Under HSM connection, select Bring Your Own HSM.
- Under HSM connector ID, enter the HSM connector ID that you get from IBM. This field is displayed only after you select Bring Your Own HSM for the HSM connection field.
For more information, see Provisioning a Hyper Protect Crypto Services instance with BYOHSM.
Use your Hyper Protect Crypto Services instance with BYOHSM
After you create an instance with the BYOHSM function enabled, you can use your own HSMs for key generation and management. For more information, see the following links:
What's next
To learn more about BYOHSM, see Introducing Bring Your Own HSM.