FAQs: Provisioning and operations
Read to get answers for questions about provisioning an IBM Cloud® Hyper Protect Crypto Services instance and related operations.
Are there any prerequisites for using Hyper Protect Crypto Services?
To use Hyper Protect Crypto Services, you need to have a Pay-As-You-Go or Subscription IBM Cloud account.
If you don't have an IBM Cloud account, create an account first by going to IBM Cloud registration. To check your account type, go to IBM Cloud and click Management > Account > Account settings. You can also apply your promo code if you have one. For more information about IBM Cloud accounts, see FAQs for accounts.
The service can be provisioned quickly by following instructions in Provisioning service instances. However, in order to perform key management and cryptographic operations, you need to initialize service instances first by using IBM Cloud TKE CLI plug-in or the Management Utilities.
How to initialize Hyper Protect Crypto Services service instances?
To initialize the service instance, you need to create administrator signature keys, exit the imprint mode, and load the master key to the instance. To meet various security requirements of your enterprises, IBM offers you the following options to load the master key:
-
Using the IBM Hyper Protect Crypto Services Management Utilities for the highest level of security. This solution uses smart cards to store signature keys and master key parts. Signature keys and master key parts never appear in the clear outside the smart card.
-
Using the IBM Cloud TKE CLI plug-in for a solution that does not require the procurement of smart card readers and smart cards. This solution supports two approaches to initializing service instances: by using recovery crypto units and by using key part files. When you use recovery crypto units, the master key is automatically generated within crypto units, and you don't need to create multiple master key parts. When you use key part files, file contents are decrypted and appear temporarily in the clear in workstation memory.
For more information, see Introducing service instance initialization approaches.
Can I initialize my service instance through the TKE CLI plug-in by using a proxy?
Yes, if the proxy is configured for HTTPS port 443. You can add an entry to the local hostname mapping of your workstation with the TKE CLI, for example, in /etc/hosts. In this host mapping entry, map the TKE API endpoint tke.<region>.hs-crypto.cloud.ibm.com to your proxy. For example, for an instance in Frankfurt the URL is tke.eu-de.hs-crypto.cloud.ibm.com.
Are there any recommendations on how to set up smart cards?
It is suggested that each master key part is created on a separate EP11 smart card and is assigned to a different person. Backup copies of all smart cards need to be created and stored in a safe place. It is suggested that you order 10 or 12 smart cards and initialize them this way:
- Create a certificate authority (CA) smart card and a backup certificate authority smart card.
- Create two EP11 smart cards and two backup EP11 smart cards to store two administrator signature keys. Generate administrator signature keys separately on two EP11 smart cards and copy them to other two backup smart cards.
- Create two EP11 smart cards and two backup EP11 smart cards to store two master key parts, or create three EP11 smart cards and three backup EP11 smart cards to store three master key parts. Generate EP11 master key parts separately on two or three smart cards, depending on the number of key parts when you load your master key. Copy each key part value to a backup EP11 smart card.
For calculating the number of smart cards needed, you can refer to the following formulas:
| Assumptions | Formula |
|---|---|
|
1 (CA card) + x (CA card backups) + y (administrator signature key EP11 cards)+ y * x (administrator signature key EP11 card backups) + z (master key part EP11 cards)+ z * x (master key part EP11 card backups) = (1+x) * (1+y+z) |
|
1 (CA card) + x (CA card backups) + z (administrator signature key and master key part EP11 cards)+ z * x (administrator signature key and master key part EP11 card backups) = (1+x) * (1+z) |
A backup certificate authority smart card can be created by using the Smart Card Utility Program. Select CA Smart Card > Backup CA smart card from the menu, and follow the prompts.
The contents of an EP11 smart card can be copied to another EP11 smart card that was created in the same smart card zone by using the Trusted Key Entry application. On the Smart card tab, click Copy smart card, and follow the prompts.
For greater security, you can generate administrator signature keys on more EP11 smart cards and set the signature thresholds in your crypto units to a value greater than one. You can install up to eight administrators in your crypto units and specify that up to eight signatures are required for some administrative commands.
To find out details on how to procure and set up smart cards and other Management Utilities components, see Setting up smart cards and the Management Utilities.
How can I procure smart cards and smart card readers?
To procure smart cards and smart card readers, follow the procedure in Order smart cards and smart card readers.
How many crypto units shall I set up in my service instance?
You need to set up at least two crypto units for high availability. Hyper Protect Crypto Services sets the upper limit of crypto unit to 3.
Can I use Hyper Protect Crypto Services along with other IBM Cloud services?
Yes. Hyper Protect Crypto Services can be integrated with many IBM Cloud services, such as IBM Cloud Object Storage, IBM Cloud for VMware Solutions, IBM Cloud Kubernetes Service, and Red Hat OpenShift on IBM Cloud. For a complete list of services and instructions on integrations, see Integrating services.
How does my application connect to a Hyper Protect Crypto Services service instance?
Hyper Protect Crypto Services provides the standard APIs for users to access. Your applications can connect to a Hyper Protect Crypto Services service instance by using the APIs directly over the public internet. If a more secured and isolated connection is needed, you can also use private endpoints. You can connect your service instance through IBM Cloud service endpoints over the IBM Cloud private network.
Can I generate master key on-premises and store the master key parts in the smart cards?
Generating master key on-premises is not supported.
Can I import root keys from an on-premises HSM?
Importing root keys from an on-premises HSM is not supported.
Can I use Hyper Protect Crypto Services only for cryptographic operations, but use other IBM Cloud services such as Key Protect for key management?
Yes. Hyper Protect Crypto Services can be used with Key Protect for key management. In this way, Hyper Protect Crypto Services is responsible for only cryptographic operations, while Key Protect provides key management service secured by multi-tenant FIPS 140-2 Level 3 certified cloud-based HSM.
Can I use Hyper Protect Crypto Services for applications hosted in other cloud service providers such as AWS, Azure, and GCP?
Yes. Hyper Protect Crypto Services with Unified Key Orchestrator provides multicloud key management capabilities. See Introducing Unified Key Orchestrator for details.
How can I know whether the IBM Cloud services that I adopt can integrate with Hyper Protect Crypto Services for key encryption?
You can find a list of IBM Cloud services that can integrate with Hyper Protect Crypto Services in Integrating IBM Cloud services with Hyper Protect Crypto Services.
You can also find the detailed instructions on how to perform service-level arthorization in the Integration instruction links that are included in the topic.