IBM Cloud Docs
Managing EP11 keystores with the UI

Managing EP11 keystores with the UI

Enterprise PKCS #11 (EP11) keystores are used to store EP11 keys. Before you create EP11 keys, you need to create EP11 keystores first. Apart from using the Hyper Protect Crypto Services PKCS #11 API to manage EP11 keystores, you can also use the UI to view, create, and delete EP11 keystores.

EP11 keystores are composed of in-memory keystores and database-backed keystores. The in-memory EP11 keystores are not displayed in the UI. You can manage only database-backed EP11 keystores through the UI. For more information about the keystores, see Introducing keystore.

You can create up to five keystores in a service instance for free, including KMS key rings and EP11 keystores. Each additional key ring or EP11 keystore is charged with a tiered pricing starting at $225 USD per month. For more information about pricing, see the pricing sample.

Before you begin

Before you can manage EP11 keystores with the UI, complete the following steps to open your Hyper Protect Crypto Services dashboard:

  1. Log in to the UI.
  2. Go to Menu > Resource list to view a list of your resources.
  3. From your IBM Cloud resource list, select your provisioned instance of Hyper Protect Crypto Services and click the instance name.

Viewing EP11 keystores

For default service access roles that support viewing EP11 keystores, see service access roles. If you are to create custom roles, make sure to assign the following action to the custom role:

  • hs-crypto.keystore.listkeystoresbyids

For instructions on creating custom roles, see Creating custom roles.

To view a list of created EP11 keystores, on the Hyper Protect Crypto Services dashboard, select the EP11 keystores tab in the side menu.

An EP11 keystore table is displayed with the following details.

Table 1. Describes the EP11 keystores table
Property Description
ID The unique identifier that is assigned when the keystore is created.
Name A human-readable alias for easy identification of your keystore. The keystore name might not be unique. You can assign multiple keystores with the same name. If there is no name associated with the keystore, it means the keystore is created using the PKCS #11 API.
Type The type of the keystore. Possible values are Public and Private. The database-backed EP11 keystores are composed of two types of keystores: public keystores for storing less sensitive EP11 keys that can be accessed by any user types (security officers, normal users, and anonymous users) and private keystores for storing sensitive EP11 keys that can be accessed by normal users only. For more information about keystores, see Introducing keystore.

Creating EP11 keystores

For default service access roles that support creating EP11 keystores, see service access roles. If you are to create custom roles, make sure to assign the following actions to the custom role:

  • hs-crypto.keystore.listkeystoresbyids
  • hs-crypto.keystore.createkeystore

For instructions on creating custom roles, see Creating custom roles.

Complete the following steps to create an EP11 keystore:

  1. Select the EP11 keystores tab in the side menu. You can see a list of existing EP11 keystores with each having a unique ID.

  2. Click Create keystore. In the Create EP11 keystore panel that is displayed, enter the Keystore name and select the Keystore type to be Private or Public.

    The database-backed EP11 keystores are composed of two types of keystores: public keystores for storing less sensitive EP11 keys that can be accessed by any user types (security officers, normal users, and anonymous users) and private keystores for storing sensitive EP11 keys that can be accessed by normal users only. For more information about keystores, see Introducing keystore.

  3. Click Create keystore. You can see the new keystore listed at the first row.

    To copy the keystore ID, click the Actions icon Actions icon and then click Copy ID to clipboard.

Deleting EP11 keystores

For default service access roles that support deleting EP11 keystores, see service access roles. If you are to create custom roles, make sure to assign the following actions to the custom role:

  • hs-crypto.keystore.listkeystoresbyids
  • hs-crypto.keystore.deletekeystore

For instructions on creating custom roles, see Creating custom roles.

If you want to delete an EP11 keystore, complete the following steps:

After you delete a keystore, you are not able to access any EP11 keys that are stored in the keystore. This action cannot be undone.

  1. Select the EP11 keystores tab in the side menu, and find the keystore that you want to delete in the list.
  2. Click the Actions icon Actions icon, and then select Delete keystore.
  3. Verify the ID of the keystore to be deleted, and check the box to confirm the deletion.
  4. Click Delete keystore.

What's next

Start to create an EP11 key through the UI UI or through the PKCS #11 API.