Enabling crypto mechanisms

After some crypto features and mechanisms are enabled in IBM Cloud® Hyper Protect Crypto Services, you, as a crypto unit administrator, might need to manually enable them in your Hyper Protect Crypto Services instance before you can start using these features and mechanisms.

HSM firmware is updated in the supported IBM Cloud regions to enable the following features. If your service instance is provisioned after the HSM firmware updates are deployed in the corresponding region, this feature is enabled by default. However, for any existing service instance, where the master key is set up before the HSM firmware update is rolled out, you need to enable the features manually as needed.

Enabling BIP32 deterministic wallets

A Bitcoin Improvement Proposal (BIP) describes a feature for bitcoin, and the processes or environment. The BIP 0032 (BIP32) standard is used for hierarchical deterministic wallets to define how to derive private and public keys of a wallet.

To enable BIP32, follow these steps:

Step 1: Verify the BIP32 enablement

To check whether the BIP32 feature is already enabled in your service instance, perform the following steps:

Before you perform the steps, make sure you have provisioned a service instance and initialized the service instance with either the Trusted Key Entry (TKE) command-line interface (CLI) plug-in or the Management Utilities.

In the CLI, update the TKE CLI plug-in to the latest version with the following command:
```
ibmcloud plugin update tke
```
To check whether the BIP32 feature is enabled, run the following command:
```
ibmcloud tke cryptounit-compare
```
The following output is an example of what is to be displayed. If the BIP32 feature is enabled, the XCP_CPB_BTC column is specified as Set in the CONTROL POINTS section:
```
CONTROL POINTS
SERVICE INSTANCE: f410ea28-691a-4708-a580-1f813e0a6d31
CRYPTO UNIT NUM   XCP_CPB_BTC
1                 Set
2                 Set
```
If Not Set is displayed, perform the following steps to manually enable the BIP32 feature.

Step 2: Enable BIP32 manually

To enable BIP32 for your service instance, follow these steps:

Check and make sure all crypto units in your service instance are selected with the following command:

ibmcloud tke cryptounits

The following output is an example of what is to be displayed. All selected crypto units are marked true in the SELECTED column:

SERVICE INSTANCE: 482cf2ce-a06c-4265-9819-0b4acf54f2ba
CRYPTO UNIT NUM   SELECTED   LOCATION
1                 true       [us-south].[AZ3-CS3].[02].[03]
2                 true       [us-south].[AZ2-CS2].[02].[03]

If any of the crypto units are not selected, run the following command and follow the prompts to add the crypto units to the selected list:
```
ibmcloud tke cryptounit-add
```
To enable the BIP32 feature, run the following command:
```
ibmcloud tke cryptounit-cp-btc
```
(Optional) To confirm that the BIP32 feature is enabled, run the ibmcloud tke cryptounit-compare command again, and make sure that XCP_CPB_BTC is marked as Set for all crypto units in the output.

Enabling Edwards-curve Digital Signature Algorithm

Edwards-curve Digital Signature Algorithm (EdDSA) is a modern and secure digital signature algorithm based on performance-optimized elliptic curves.

To enable EdDSA, follow these steps:

Step 1: Verify the EdDSA enablement

To check whether the EdDSA feature is already enabled in your service instance, perform the following steps:

In the CLI, update the TKE CLI plug-in to the latest version with the following command:
```
ibmcloud plugin update tke
```
To check whether the EdDSA feature is enabled, run the following command:
```
ibmcloud tke cryptounit-compare
```
The following output is an example of what is to be displayed. If the EdDSA feature is enabled, the XCP_CPB_ALG_EC_25519 column is specified as Set in the CONTROL POINTS section:
```
CONTROL POINTS
SERVICE INSTANCE: f410ea28-691a-4708-a580-1f813e0a6d31
CRYPTO UNIT NUM   XCP_CPB_ALG_EC_25519
1                 Set
2                 Set
```
If Not Set is displayed, perform the following steps to manually enable the EdDSA feature.

Step 2: Enable EdDSA manually

To enable EdDSA for your service instance, follow these steps:

Check and make sure all crypto units in your service instance are selected with the following command:

ibmcloud tke cryptounits

The following output is an example of what is to be displayed. All selected crypto units are marked true in the SELECTED column:

SERVICE INSTANCE: 482cf2ce-a06c-4265-9819-0b4acf54f2ba
CRYPTO UNIT NUM   SELECTED   LOCATION
1                 true       [us-south].[AZ3-CS3].[02].[03]
2                 true       [us-south].[AZ2-CS2].[02].[03]

If any of the crypto units are not selected, run the following command and follow the prompts to add the crypto units to the selected list:
```
ibmcloud tke cryptounit-add
```
To enable the EdDSA feature, run the following command:
```
ibmcloud tke cryptounit-cp-eddsa
```
(Optional) To confirm that the EdDSA feature is enabled, run the ibmcloud tke cryptounit-compare command again, and make sure that XCP_CPB_ALG_EC_25519 is marked as Set for all crypto units in the output.

Enabling the Schnorr algorithm

The Schnorr algorithm can be used as a signing scheme to generate digital signatures. It is proposed as an alternative algorithm to the Elliptic Curve Digital Signature Algorithm (ECDSA) for cryptographic signatures in the Bitcoin system. The Schnorr signature is known for the simplicity and efficiency.

To enable the Schnorr algorithm, follow these steps:

Step 1: Verify the Schnorr algorithm enablement

To check whether the Schnorr algorithm is already enabled in your service instance, perform the following steps:

In the CLI, update the TKE CLI plug-in to the latest version with the following command:
```
ibmcloud plugin update tke
```
To check whether the Schnorr algorithm is enabled, run the following command:
```
ibmcloud tke cryptounit-compare
```
The following output is an example of what is to be displayed. If the Schnorr algorithm is enabled, the XCP_CPB_ECDSA_OTHER column is specified as Set in the CONTROL POINTS section:
```
CONTROL POINTS
SERVICE INSTANCE: f410ea28-691a-4708-a580-1f813e0a6d31
CRYPTO UNIT NUM   XCP_CPB_ECDSA_OTHER
1                 Set
2                 Set
```
If Not Set is displayed, perform the following steps to manually enable the Schnorr algorithm.

Step 2: Enable the Schnorr algorithm manually

To enable the Schnorr algorithm for your service instance, follow these steps:

Check and make sure all crypto units in your service instance are selected with the following command:

ibmcloud tke cryptounits

The following output is an example of what is to be displayed. All selected crypto units are marked true in the SELECTED column:

SERVICE INSTANCE: 482cf2ce-a06c-4265-9819-0b4acf54f2ba
CRYPTO UNIT NUM   SELECTED   LOCATION
1                 true       [us-south].[AZ3-CS3].[02].[03]
2                 true       [us-south].[AZ2-CS2].[02].[03]

If any of the crypto units are not selected, run the following command and follow the prompts to add the crypto units to the selected list:
```
ibmcloud tke cryptounit-add
```
To enable the Schnorr algorithm, run the following command:
```
ibmcloud tke cryptounit-cp-sig-other
```
(Optional) To confirm that the Schnorr algorithm is enabled, run the ibmcloud tke cryptounit-compare command again, and make sure that XCP_CPB_ECDSA_OTHER is marked as Set for all crypto units in the output.

What's next

You can now start using the PKCS #11 API or the GREP11 API to perform cryptographic operations and protect deterministic wallets.

For more information about the TKE CLI commands, check out the TKE CLI reference.
For more information about the PKCS #11 API, check out Introducing PKCS #11 and PKCS #11 API reference.
For more information about the GREP11 API, check out Introducing EP11 over gRPC and GREP11 API reference.
To learn more about the differences and relationships between PKCS #11 and GREP11 API, see Introducing cloud HSM.