FAQs: Hyper Protect Crypto Services with Unified Key Orchestrator
Read to get answers for questions about IBM Cloud® Hyper Protect Crypto Services with Unified Key Orchestrator.
How many keys can be stored in a Hyper Protect Crypto Services with Unified Key Orchestrator instance?
A Unified Key Orchestrator instance of Hyper Protect Crypto Services can hold a maximum of 20,000 KMS keys and 20,000 EP11 keys.
What is the difference between key management, key orchestration, and key governance?
Key orchestration brings both key management and key governance capabilities into operations within an enterprise:
- Key management is the people, processes, and technology that define how encryption keys exist and operate within an enterprise, including key lifecycle stages, and roles and duties definitions.
- Key governance is the business control that is defined by the security and risk management practices of an enterprise. Key governance ensures encryption key risks are identified, assessed, and addressed by risk mitigation policies and controls, including applicable regulations and compliance requirements.
- Key orchestration is the activities and means that initiate and manage encryption keys through their lifecycle within an enterprise, including automation and integration into reporting and monitoring.
For more information about key management, see NIST SP 800-57 Part 2 Rev 1 "Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations".
Does Hyper Protect Crypto Services with Unified Key Orchestrator provide key management, governance, and orchestration at the same time?
Yes. Unified Key Orchestrator provides a simplified means of key management, governance, and orchestration: one place to define, operate, and oversee encryption keys across hybrid multicloud environments.
Is Unified Key Orchestrator a separate offering?
No. From a technology point of view, Unified Key Orchestrator is a feature of Hyper Protect Crypto Services. You need to provision and deploy a Hyper Protect Crypto Services instance to implement and use Unified Key Orchestrator.
How is Hyper Protect Crypto Services with Unified Key Orchestrator different from the Hyper Protect Crypto Services Standard Plan?
Hyper Protect Crypto Services with Unified Key Orchestrator extends the Standard Plan. IBM Cloud is the only cloud service provider that offers native cloud encryption key orchestration and lifecycle management across hybrid multicloud environments, including IBM Cloud, IBM Satellite, other cloud service providers, and on-premises environments. The following table lists the key differences between Hyper Protect Crypto Services with Unified Key Orchestrator and Hyper Protect Crypto Services Standard Plan:
| Feature | Hyper Protect Crypto Services Standard Plan | Hyper Protect Crypto Services with Unified Key Orchestrator |
|---|---|---|
| Multicloud Key Lifecycle Management | Not supported. | Supported. |
| Vaults | None. | Unlimited vaults. |
| Key types | EP11 keys, root keys, and standard keys. For more information, see Managing EP11 keys with the UI, Creating root keys, and Creating standard keys. | Unified Key Orchestrator managed keys. For more information, see Creating managed keys. |
| Internal keystores | Unlimited internal keystores and the first 5 keystores are free of charge. For more information, see Pricing sample. | Unlimited internal keystores and the first 5 keystores are free of charge. For more information, see Pricing sample. |
| External keystores | Not supported. | Unlimited external keystores. For more information, see Pricing sample. |
| Master key rotation | Supported. For more information, see Master key rotation - Standard Plan. | Supported. For more information, see Master key rotation -Unified Key Orchestrator Plan. |
| EP11 support | Both UI and API support. For more information, see Introducing EP11 over gRPC - Standard Plan. | API support only. |
| Viewing associated resources | Supported. For more information, see Viewing associations between root keys and encrypted IBM Cloud resources. | Not supported. |
| Dual authorization policies | Supported. For more information, see Managing dual authorization of your service instance. | Not supported. |
| KMS key types (policy) | Keys are symmetric 256-bit keys, supported by the AES-CBC algorithm. | Not supported. |
| key create and import access policy | Supported. For more information, see Managing the key create and import access policy. | Managed keys are supported through IAM. |
| Export keys | Supported. | Not supported. |
What type of HSM is used for Hyper Protect Crypto Services with Unified Key Orchestrator?
Hyper Protect Crypto Services with Unified Key Orchestrator is built on the FIPS 140-2 Level 4 certified HSM as the Hyper Protect Crypto Services Standard Plan.
Which cloud vendors or providers are supported by Hyper Protect Crypto Services with Unified Key Orchestrator as connected external keystores?
The following list contains a few cloud providers:
- Keystores of another Hyper Protect Crypto Services instance
- Keystores of IBM® Key Protect for IBM Cloud®
- Keystores of IBM® Key Protect for IBM Cloud® on Satellite
- Microsoft Azure Key Vault
- AWS Key Management Service
- Google Cloud Key Management Service
How is Unified Key Orchestrator different from EKMF Web?
IBM® Enterprise Key Management Foundation - Web Edition (EKMF Web) and Unified Key Orchestrator share the same code base.
EKMF Web is an on-premises product for IBM Z14 or Z15 environments, running z/OS V2.3 or z/OS V2.4 and IBM Db2. Hyper Protect Crypto Services with Unified Key Orchestrator is a cloud native service in IBM Cloud, which offers key management and orchestration in a hybrid multicloud environment.
What multizone regions is Hyper Protect Crypto Services with Unified Key Orchestrator available in?
Hyper Protect Crypto Services with Unified Key Orchestrator is available in all regions where Hyper Protect Crypto Services is available. Refer to Regions and locations for a list of available regions of Hyper Protect Crypto Services.
Can I still use Hyper Protect Crypto Services with Unified Key Orchestrator for key management even if Hyper Protect Crypto Services is not available in the IBM Cloud region that my service resides in?
Yes. You can choose a data center within your required data residency region and use Unified Key Orchestrator in any regions where Hyper Protect Crypto Services is available. Note that your encryption keys is managed in the regions where your Hyper Protect Crypto Services instances are available.
How many keystores can be created for an instance of Hyper Protect Crypto Services with Unified Key Orchestrator?
There is an internal KMS keystore limit of 50, but there is no external keystore limit. For more information on how the keystores are charged, see the pricing sample.