General FAQs
Read to get answers for general questions about IBM Cloud® Hyper Protect Crypto Services.
What's IBM Cloud Hyper Protect Crypto Services?
IBM Cloud Hyper Protect Crypto Services is a dedicated key management service and cloud Hardware Security Module (HSM)A physical appliance that provides on-demand encryption, key management, and key storage as a managed service. service that provides the following features:
- Keep Your Own Key (KYOK) with the FIPS 140-2 Level 4 certified HSM that ensures your full control of the entire key hierarchy where no IBM Cloud administrators have access to your keys.
- Single-tenant key management system to create, import, rotate, and manage keys with the standardized API.
- Data-at-rest encryption with customer-owned keys with seamless integration with other IBM Cloud data and storage services.
- PKCS #11 library and Enterprise PKCS #11 (EP11) library for cryptographic operations, which is enabled by the Hyper Protect Crypto Services HSMs with the highest security level in the cloud.
What is Unified Key Orchestrator?
Unified Key Orchestrator provides the only cloud native single-point-of-control of encryption keys across hybrid multicloud environments of your enterprise.
- Unified Key Orchestrator enables you with both Keep Your Own Key and Bring Your Own Key capabilities from across hybrid multicloud environments that include on-premises environments.
- Unified Key Orchestrator manages and orchestrates all keys from the multicloud environments on IBM Cloud.
What is a key management service?
Hyper Protect Crypto Services provides a single-tenant key management service to create, import, rotate, and manage keys. Once the encryption keys are deleted, you can be assured that your data that is protected by these keys is no longer retrievable. The service is built on FIPS 140-2 Level 4 certified HSM, which offers the highest level of protection in the cloud industry. Hyper Protect Crypto Services provides the same key management service API as IBM Key Protect for IBM Cloud for you to build your applications or leverage IBM Cloud data and infrastructure services.
What is Hardware Security Module?
A Hardware Security Module (HSM) provides secure key storage and cryptographic operations within a tamper-resistant hardware device for sensitive data. HSMs use the key material without exposing it outside the cryptographic boundary of the hardware.
What is a cloud HSM?
A cloud HSM is a cloud-based hardware security module to manage your own encryption keys and to perform cryptographic operations in IBM Cloud. Hyper Protect Crypto Services is built on FIPS 140-2 Level 4 certified HSM, which offers the highest level of protection in the cloud industry. With the Keep Your Own Key (KYOK) support, customers can configure the master keyAn encryption key that is used to protect a crypto unit. The master key provides full control of the hardware security module and ownership of the root of trust that encrypts the chain keys, including the root key and standard key. and take the ownership of the cloud HSM. Customers have full control and authority over the entire key hierarchy, where no IBM Cloud administrators have access to your keys.
How does Hyper Protect Crypto Services provide a single-tenant cloud service?
Hyper Protect Crypto Services is a single-tenant cloud service because each customer has a dedicated software stack and a dedicated HSM domain for every crypto unit. As a customer, you are assured that you are interacting with a dedicated service stack that processes only your data. For more information about the service architecture, see How does Hyper Protect Crypto Services work.
What are the responsibilities of users and IBM Cloud for Hyper Protect Crypto Services?
Hyper Protect Crypto Services is a platform-as-a-service on IBM Cloud. IBM Cloud is responsible for management of servers, network, storage, virtualization, middleware, and runtime, which ensures good performance and high availability. Customers are responsible for the management of data and applications, specifically encryption keys that are stored in Hyper Protect Crypto Services and user applications that use keys or cryptographic functions for cryptographic operations.
How is this service different from IBM Cloud HSM?
IBM has an IaaS IBM Cloud HSM service, which is different from the Hyper Protect Crypto Services. IBM Cloud HSM is FIPS 140-2 Level 3 compliant. Hyper Protect Crypto Services provides a managed HSM service where no special skills are needed to manage the HSM other than loading of the keys. Hyper Protect Crypto Services is the only cloud service that provides HSMs that are built on FIPS 140-2 Level 4 certified hardware and that allow users to have control of the master key.
How is Hyper Protect Crypto Services different from Key Protect?
IBM Key Protect for IBM Cloud is a shared multi-tenant key management service that supports the Bring Your Own Key (BYOK) capability. The service is built on FIPS 140-2 Level 3 certified HSMs, which are managed by IBM.
Hyper Protect Crypto Services is a single-tenant key management service and cloud HSM for you to fully manage your encryption keys and to perform cryptographic operations. This service is built on FIPS 140-2 Level 4 certified HSMs and supports the Keep Your Own Key (KYOK) capability. You can take the ownership to ensure your full control of the entire key hierarchy with no access even from IBM Cloud administrators. Hyper Protect Crypto Services also supports industry standards such as Public-Key Cryptography Standards #11 (PKCS #11) for cryptographic operations like digital signing and Secure Sockets Layer (SSL) offloading.
How is Keep Your Own Key different from Bring Your Own Key?
Bring Your Own Key (BYOK) is a way for you to use your own keys to encrypt data. The key management services that provide BYOK are typically multi-tenant services. With these services, you can import your encryption keys from the on-premises hardware security modules (HSM) and then manage the keys.
With Keep Your Own Key (KYOK), IBM brings industry-leading level of control that you can exercise on your own encryption keys. In addition to the BYOK capabilities, KYOK provides technical assurance that IBM cannot access the customer keys. With KYOK, you have exclusive control of the entire key hierarchy, which includes the master key.
The following table details the differences between KYOK and BYOK.
| Cloud key management capabilities | BYOK | KYOK |
|---|---|---|
| Managing encryption key lifecycle | Yes | Yes |
| Integrating with other cloud services | Yes | Yes |
| Bringing your own keys from on-premises HSMs | Yes | Yes |
| Operational assurance - Cloud service providers cannot access keys. | Yes | Yes |
| Technical assurance - IBM cannot access the keys. | No | Yes |
| Single tenant, dedicated key management service. | No | Yes |
| Exclusive control of your master key. | No | Yes |
| Highest level security - FIPS 140-2 Level 4 HSM. | No | Yes |
| Managing your master key with smart cards. | No | Yes |
| Performing key ceremony. | No | Yes |
What can I do with IBM Cloud Hyper Protect Crypto Services?
IBM Cloud Hyper Protect Crypto Services can be used for key management service and cryptographic operations.
Hyper Protect Crypto Services can integrate with IBM Cloud data and storage services as well as VMware® vSphere® and VSAN, for providing data-at-rest encryption. The managed cloud HSM supports industry standards, such as Enterprise Public-Key Cryptography Standards (PKCS) #11. Your applications can integrate cryptographic operations such as digital signing and validation through Enterprise PKCS #11 (EP11 API). The EP11 library provides an interface similar to the industry-standard PKCS #11 application programming interface (API).
Hyper Protect Crypto Services leverages frameworks such as gRPC to enable remote application access. gRPC is a modern open source high-performance remote procedure call (RPC) framework that can connect services in and across data centers for load balancing, tracing, health checking, and authentication. Applications access Hyper Protect Crypto Services by calling EP11 API remotely over gRPC.
For more information, see Hyper Protect Crypto Services use cases.
How do I know whether Hyper Protect Crypto Services is right for my company?
If you are concerned on data security and compliance in the cloud, you are able to maintain complete control over data encryption and signature keysAn encryption key that is used by the crypto unit administrator to sign commands that are issued to the crypto unit. in a cloud consumable HSM. The HSM is backed by industry-leading security for cloud data and digital assets. With the security and regulatory compliance support, your data is encrypted and privileged access is controlled. Even IBM Cloud administrators have no access to the keys.
With Hyper Protect Crypto Services, you can ensure regulatory compliance and strengthen data security. Your data is protected with encryption keys in a fully managed, dedicated key management system and cloud HSM service that supports Keep Your Own Key. Keep your own keys for cloud data encryption protected by a dedicated cloud HSM. If you are running regulation intensive applications or applications with sensitive data, this solution is right for you.
Key features are as follows:
- Full control of the entire key hierarchy, including the master keys.
- Tamper-proof hardware device for sensitive data.
- Industry-leading security for cloud data and digital assets.
- Reduced data compromise risk because of in-built protection against privileged access threats.
- Regulatory compliance through data encryption and controls on privileged access.
- Keep Your Own Key (KYOK) that ensures your full control of the entire key hierarchy.
How does Hyper Protect Crypto Services work?
When you use Hyper Protect Crypto Services, you create a service instance with multiple crypto units that reside in different availability zones in a region. The service instance is built on Secure Service Container (SSC), which ensures isolated container runtime environment and provides the enterprise level of security and impregnability. The multiple crypto units in a service instance are automatically synchronized and load balanced across multiple availability zones. If one availability zone cannot be accessed, the crypto units in a service instance can be used interchangeably.
A crypto unit is a single unit that represents a hardware security module and the corresponding software stack that is dedicated to the hardware security module for cryptography. Encryption keys are generated in the crypto units and stored in the dedicated keystore for you to manage and use through the standard RESTful API. WithHyper Protect Crypto Services, you take the ownership of the crypto units by loading the master key and assigning your own administrators through CLI or the Management Utilities applications. In this way, you have an exclusive control over your encryption keys.
Hyper Protect Crypto Services built on FIPS 140-2 Level 4 HSM supports Enterprise PKCS #11 for cryptographic operations. The functions can be accessed through gRPC API calls.
What crypto card does Hyper Protect Crypto Services use?
If you create your instance in regions that are based on Virtual Private Cloud (VPC) infrastructure, Hyper Protect Crypto Services uses the IBM 4769 crypto card, also referred to as Crypto Express 7S (CEX7S). If you create your instance in other non-VPC regions, Hyper Protect Crypto Services uses the IBM 4768 crypto card, also referred to as Crypto Express 6S (CEX6S). Both IBM CEX6S and IBM CEX7S are certified at FIPS 140-2 Level 4, the highest level of certification achievable for commercial cryptographic devices. You can check the certificates at the following sites:
Which IBM regions are Hyper Protect Crypto Services available in?
Currently, Hyper Protect Crypto Services is available in Dallas and Frankfurt. For an up-to-date list of supported regions, see Regions and locations.
I have workloads in a data center where Hyper Protect Crypto Services is not available. Can I still subscribe to this service?
Yes. Hyper Protect Crypto Services can be accessed remotely worldwide for key management and cloud HSM capabilities.