Setting up BYOHSM

Before you begin

Before you can configure and deploy your on-premises HSMs, make sure that you complete the HSM purchase and initial setup based on your providers guidelines. Currently, Hyper Protect Crypto Services supports Thales HSM A7xx models only. For more information, see supported types of HSMs.

Creating partitions

To use your own HSMs for Hyper Protect Crypto Services, you need to create and initialize an application partition in each HSM. The application partition is used to store cryptographic objects and perform operations. Make sure that you set the same partition label and partition crypto officer password for the application partitions in all HSMs. The password is used by Hyper Protect Crypto Services as part of the PKCS #11 session API login process.

The Thales SafeNet Luna Network HSM uses two types of partitions:

• Administrative partition

  Each Luna Network HSM has only one administrative partition. It is created when you initialize the HSM. The administrative partition is used to set and change HSM-wide policies, create or destroy application partitions, update HSM firmware and capabilities, and so on.

• Application partition

  Each Luna Network HSM has at least one application partition. The application partition is used to perform cryptographic operations and store cryptographic objects for your applications. For multi-tenancy use cases, you can create multiple application partitions with each having its own security and access controls. For the A750 model, you can create up to five application partitions. If you need more application partitions, you need to purchase extra partition licenses.

For more information about partitions, see the Partition Administration Guide.

Creating keys

To use your own HSMs for Hyper Protect Crypto Services, you need to create the following keys on your HSMs and store them as persistent token objects in the partition memory. Make sure to set a label for each key. You need to provide the labels to IBM when you provision an instance afterward.

You need to set some specific parameters when you create these keys. Contact IBM for details by creating a support case.

You can use some tools to create these keys. Consult with Thales technical support to find a secure way to create these keys based on your organization's security policy and compliance requirements.

Network connectivity best practice

For a better network performance when you connect on-premises HSMs to Hyper Protect Crypto Services, you can refer to the following best practice:

• Use IBM Cloud Direct Link Connect to quickly establish and deliver private connectivity to IBM Cloud infrastructure. For more information, see Ordering IBM Cloud Direct Link Connect.

• Use IBM Cloud Transit Gateway to connect your on-premises network that uses Direct Link to your IBM Cloud networks. For more information, see Getting started with IBM Cloud Transit Gateway.

• Use 10 GB links for cryptographic traffic between Hyper Protect Crypto Services and your HSMs.

• Use a bond of 2 GB links for management and administration traffic. Note that bonding provides standby fault tolerance reliability, but does not provide load balancing.

  Hyper Protect Crypto Services requires a TCP connectivity to HSM on port 1792 for NTLS protocol. To check the connectivity, issue the following netcat command:

  nc -vz <HSM-ip-addr> 1792
  

  Where HSM-ip-addr is the IP address of your HSM.

Preparing information for HSM connection

Before you can provision a Hyper Protect Crypto Services instance, you need to prepare the following information:

To provision an instance with BYOHSM, you need to contact IBM to add your account to the allowlist and provide this information for all HSMs that you want to use for Hyper Protect Crypto Services.

What's next

After you collect all the information needed and set up the network connectivity, you can contact IBM and provision a Hyper Protect Crypto Services instance with Bring Your Own HSM.