IBM Cloud Docs
Creating vaults

Creating vaults

You can use Hyper Protect Crypto Services to create a group of key templates, keys, and keystores for a target group of users that require the same Cloud Identity and Access Management (IAM) access permissions in a vault. You can create vaults in Unified Key Orchestrator with the UI, or programmatically with the Unified Key Orchestrator API.

As a Vault Administrator, you can bundle the key templates, keys, and keystores in your Hyper Protect Crypto Services instance into groups called vault. A vault is a collection of key templates, keys, internal keystores, and external keystores that require the same IAM access permissions. For example, if you have a group of team members who need a particular type of access to a specific group of key templates, keys, and keystores, you can create a vault and assign the appropriate IAM access policy to the target user group. The users that are assigned access to the vault can create and manage the resources that exist within the vault.

Vaults are also useful in cases where it is important for one business unit to have access to a set of key templates, keys, and keystores that another business unit cannot have. An account administrator can create vaults for each business unit and assign the appropriate level of access to the appropriate users. In the case where the account administrator wants to delegate platform management of a specific vault to someone else, they can assign a user a Vault Administrator role. The sub-administrator is then able to manage the vault and grant access to the appropriate users.

Before you create a vault for your Hyper Protect Crypto Services instance, keep in mind of the following considerations:

  • Vaults can hold key templates, KMS keys, and keystores. EP11 keys and keystores are not supported.

    There is no limit on how many keys can exist within a vault. Vaults don't apply to Enterprise PKCS #11 (EP11) keys and keystores.

  • A key template, a key, or a keystore only can belong to one vault at a time.

    You need to specify a vault to a key template, a managed key, or a keystore upon creation.

  • During master key rotation, you are not able to create a vault. However, you can create the vault again after the master key rotation process is complete.

For more information about granting access, see Granting access to vaults.

Creating vaults with the UI

To create a vault by using the UI, complete the following steps through the Vaults page. Optionally, you can create a vault when you create a key template, create a managed key, or add a keystore.

  1. Log in to the Hyper Protect Crypto Services instance.

  2. Click Vaults from the navigation to view all the available vaults.

  3. To create a vault, click Create vault.

  4. Enter a name in Vault name. Optionally, you can add an extended description to your vault in the Description section.

    The vault name must be of 1 to 100 characters in length. The characters can be letters (case-sensitive), digits (0-9), or symbols (#@!$%\’_-).

  5. Click Create vault to confirm.

You have successfully created a vault.

Creating vaults through the API

To create a vault through the API, follow these steps:

  1. Retrieve your service and authentication credentials to work with vaults in the service.

  2. Create a vault by making a POST call to the following endpoint.

    https://<instance_ID>.uko.<region>.hs-crypto.appdomain.cloud/api/v4/vaults
    
    

    For detailed instructions and code examples about using the API method, check out the Hyper Protect Crypto Services Unified Key Orchestrator API reference doc.

What's next