Introducing Unified Key Orchestrator

With Hyper Protect Crypto Services with Unified Key Orchestrator, you can manage keys not only for your internal keystores, but across multiple cloud providers, including Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform. All your keys in all those places are protected by your own master key, which is stored in a FIPS 140-2 Level 4-certified hardware security module (HSM) for the highest security. You can manage the lifecycles of your keys from a single point of control, while the system keeps keys that are distributed in sync.

With Unified Key Orchestrator, you can organize everything in vaults. Vaults are secure repositories that bundle your managed keys and the keystores to distribute managed keys to. You can use vaults to grant access to different Identity and Access Management (IAM) user groups.

Watch the following video to learn how Hyper Protect Crypto Services with Unified Key Orchestrator manages your keys in a multicloud environment:

Use case example

In the following example, your retail banking business unit, reflected as one user group, uses a vault called Retail Banking BU. Another business unit, reflected as another user group, uses their own vault to keep their managed keys and keystores separate.

You connect vault Retail Banking BU to three external keystores in different locations, in this example, three Azure Key Vaults. You can also connect your vault to other external keystore types if needed, such as AWS Key Management Service, IBM® Key Protect, or other Hyper Protect Crypto Services instances. Then, you create managed keys in vault Retail Banking BU and distribute the keys to those three external keystores in Azure.

For development and test purposes, you create a few more keys in the same vault and an internal KMS keystore to distribute the keys to.

You activate a key in multiple internal or external keystores in the same vault. When you make changes to the key, for example, changing the key state from Active to Deactivated, the change is applied to all keystores that the key is activated in.

Figure 1. Unified Key Orchestrator use case example

Components

The following list includes the key components of Unified Key Orchestrator. For an architectural diagram that includes key Hyper Protect Crypto Services components, see Service architecture.

Vaults

A vault is a repository that controls a user's or an access group's access to managed keys and keystores through IAM. A vault keeps all activations of a managed key in sync. You can assign a managed key or keystore only in one vault. When you connect to an external keystore, you also need to assign it to a vault first.

You can create different vaults based on your organizational or security needs. For example, you can create a vault for each business unit. In this way, you set access control policies at a vault level, and key administrators of each business unit have access only to the keys and keystores that are assigned to the vault of their business unit.

For more information about creating and managing access to vaults, see Creating vaults and Granting access to vaults.
Key templates

A key template specifies the properties of the managed keys to be created, such as the naming convention, key algorithm, and key length. After you create the key template, you can then create a group of managed keys with the same key properties that are defined in the key template.

For more information about creating key templates, see Creating key templates.
Managed keys

A managed key is a key that is created in and assigned to a vault. You can manage the lifecycle of a managed key and activate it in multiple keystores in the same vault. You can use a managed key for encryption and decryption only when it is activated in at least one keystore. Activating a managed key in multiple keystores in the same vault enables key redundancy. To use a managed key for encryption and decryption, activate it in one or more keystores within the same vault first.

For more information about creating managed keys, see Creating and activating managed keys.
Keystores

A keystore needs to be assigned to a vault. You need to create an internal keystore in only one vault, or assign an external keystore to a vault when you connect your service instance to it.

You need to activate a key in a keystore before you can encrypt or decrypt data by using the key.
- Internal keystores
  
  An internal keystore is a keystore that is created in your Hyper Protect Crypto Services instance.
  
  For more information about creating internal keystores, see Creating internal keystores.
  - IBM Cloud KMS
    
    The key management service component within Hyper Protect Crypto Services provides the Keep Your Own Key (KYOK) feature for IBM Cloud services to ensure that you have access to only the authorized keystores.
    
    You can create up to five free internal keystores to manage your keys. If you need more keystores for cross-region key distribution or specified access permissions, you are charged. For more information about the pricing, see FAQs: Pricing.
- External keystores
  
  External keystores are keystores that are not in your service instance. You can connect to keystores that are external to your service instance, such as another Hyper Protect Crypto Services or Key Protect instance, potentially in another region. Or, you can connect to external keystores from other cloud providers such as Key Vault, AWS Key Management Service (KMS), and Google Cloud KMS.
  
  You can connect to one external keystore at no initial cost, regardless of the type. You are charged for additional external keystores. For more information about the pricing, see FAQs: Pricing.
  
  For more information about connecting to keystores, see Connecting to external keystores.
  - Hyper Protect Crypto Services
    
    You can connect your Hyper Protect Crypto Services instance to the keystores of another Hyper Protect Crypto Services instance, and manage KMS keys and EP11 keys of another service instance using the current service instance.
  - Key Protect
    
    Key Protect is a service encryption solution that allows data to be secured and stored in IBM Cloud® using the envelope encryption techniques that leverage FIPS 140-2 Level 3 certified cloud-based hardware security modules.
  - Azure Key Vault
    
    Microsoft Azure Key Vault is a cloud service for you to create and manage cryptographic keys and other sensitive information.
  - AWS KMS
    
    AWS KMS is a managed service for you to create and manage cryptographic keys across a wide range of AWS services.
  - Google Cloud KMS
    
    Google Cloud KMS is a centralized cloud service for you to create and manage cryptographic keys. You can perform cryptographic operations by using keys in Google Cloud KMS, or by integrating with other Google Cloud services such as Cloud HSM.

What's next

To find out instructions on creating a managed key, check out Creating managed keys.
To find out instructions on adding a keystore, check out Creating internal keystores or Connecting to external keystores.
To find out how to grant access to vaults, see Granting access to vaults.
To find out more about the Unified Key Orchestrator API, see Unified Key Orchestrator API reference.