Introducing Bring Your Own HSM

What is Bring Your Own HSM?

Instead of using IBM-provided cloud HSMs for key generation and management, you can use your own on-premises HSMs for your Hyper Protect Crypto Services instance. Bring Your Own HSM extends your local key management capability to the cloud and creates a scalable, unified, and secure hybrid cloud eco-system for your regulated workloads. The following architecture diagram shows the difference between Hyper Protect Crypto Services instances with and without this function enabled.

With the Bring Your Own HSM function, you can benefit from the following aspects:

• Data sovereignty: You have physical control over your HSMs and encryption keys, which helps you comply with the data sovereignty regulations.
• Simplified HSM management: If you have already provisioned HSMs in your enterprise, you can continue using it for Hyper Protect Crypto Services. In this way, you can have a unified control of HSM management and a consistent key management infrastructure.

However, compared to cloud HSMs, on-premises HSMs also have the following disadvantages:

• High cost: If you don't have an on-premises HSM, you need to purchase at least one for Hyper Protect Crypto Services to use.
• Full responsibility for hardware setup and maintenance: You need to complete the initial setup of HSMs based on the provider's guideline, configure and deploy your HSMs to work with Hyper Protect Crypto Services, and keep your HSMs in a secure place and in a good status.
• No access to the PKCS #11 and GREP11 APIs of the cloud HSM: With BYOHSM, your Hyper Protect Crypto Services instance no longer uses the cloud HSM for key generation and management. Therefore, you are not able to use the PKCS #11 and GREP11 APIs.

How to enable Bring Your Own HSM?

To enable the Bring Your Own HSM function, you need to complete the following steps:

1. Purchase and set up your on-premises HSMs.

   You are responsible for the initial setup of HSMs that you want to use for your service instance within your own infrastructure. Make sure to follow the relevant product guidelines from your HSM provider. Currently, Hyper Protect Crypto Services supports Thales HSM A7xx models only. For more information, see Limitations and scope.

2. Configure and deploy HSMs to connect to your instance.

   You need to configure networks, create partitions and specific keys, and prepare information needed for connection. To achieve high availability, it is suggested to deploy at least two HSMs. For more information, see Deploying an HSM to use with Hyper Protect Crypto Services.

3. Provision a Hyper Protect Crypto Services instance with BYOHSM enabled.

   After you collect all the information needed, you can contact IBM and create a Hyper Protect Crypto Services instance with the Bring Your Own HSM function enabled. For more information, see Provisioning instances with Bring Your Own HSM.

   You cannot enable or disable the BYOHSM function after you provision an instance.

Limitations and scope

When you decide whether to enable this function, you might need to consider the following limitations:

• Supported HSM types

  Currently, Hyper Protect Crypto Services supports the following HSM types with the specific firmware and software versions:

  • Thales SafeNet Luna Network A730 and A750 model HSMs
  • Application/OS version: 7.4.2 or later
  • Firmware version: 7.3.3 or later

  If you use older versions, make sure to upgrade your firmware and software versions to the latest version. For more information, see HSM Updates and Upgrades.

  For security best practice, it is suggested to run your HSMs in FIPS mode, which allows your HSM to create FIPS-compliant keys. To check out the current mode, use the LunaSH command hsm showpolicies. The value of Enable non-FIPS algorithms should be Disallowed.

• Limited region availability

  The Bring Your Own HSM (BYOHSM) function is available only in the VPC-based regions. For the VPC region list, see Regions and locations. However, you can set up your own HSMs in another location as long as the network connectivity works between your Hyper Protect Crypto Services instance and your HSMs. It is suggested that you ensure a close physical proximity between HSMs and your instance, and connect them by using a private network.

Responsibilities

With the Bring Your Own HSM function enabled, your Hyper Protect Crypto Services instance is extended to your own infrastructure. IBM no longer fully manages your service instance and you need to understand your responsibilities.

• User responsibilities

  • Make sure that your HSMs are properly configured to work with Hyper Protect Crypto Services. You are responsible to purchase and set up the HSMs within your own infrastructure. For more information about the type of HSMs that are supported, see Limitations and scope. Make sure to follow the relevant product documentation from your HSM provider about its setup, maintenance, and troubleshooting. IBM is only responsible for errors that result from issues with the Hyper Protect Crypto Services instance, not from any issues with your HSM.
  • Ensure network connectivity between HSMs and your Hyper Protect Crypto Services instance. For more information about how to establish the network, see Network connectivity best practice.
  • Contact IBM before you provision an instance with the Bring Your Own HSM function enabled. You must provide the information needed to connect to your HSMs, so that IBM can configure and deploy the backend environment for your instance first.

• IBM responsibilities

  • Ensure the normal operations and maintenance of Hyper Protect Crypto Services instances.
  • Ensure the security of key operations and key-related processes.
  • Support for issues that are related to the Hyper Protect Crypto Services instance, not for issues with your HSM.