Migrating Hyper Protect Crypto Services (HPCS) to Confidential Computing Container Runtime (CCRT)

IBM Cloud® Hyper Protect Crypto Services is deprecated. As of 28 March 2026, you can't create new instances, and access to free instances will be removed. Existing premium plan instances are supported until 28 March 2027. Any instances that still exist on that date will be deleted.

This topic describes a structured approach for migrating cryptographic workloads, keys, and applications from  IBM Cloud Hyper Protect Crypto Services (HPCS) using CloudHSM to Confidential Computing Container Runtime (CCRT) with IBM Crypto Appliances and GREP11.

This migration topics is intended for security architects, infrastructure engineers, and application owners responsible for HSM-backed key management and cryptographic operations.

Source and Target Architecture Overview

Source: IBM Cloud Hyper Protect Crypto Services (CloudHSM)

Key characteristics
  • Fully managed IBM Cloud service
  • FIPS 1402 Level 4 certified hardware
  • Multitenant service with customer-controlled master key concept (KYOK)
  • Access via:
    • PKCS#11
    • GREP11
    • Enterprise Key Management APIs

Target: Confidential Computing Container Runtime (CCRT) + Crypto Express Network API

Key characteristics
  • Customer-controlled onpremises environment
  • IBM Crypto Appliances (For example, CEX or dedicated Crypto Express hardware)
  • GREP11 server exposes GREP11 interface to workloads
  • CCRT provides secure, isolated virtual servers with:
    • Secure boot
    • Memory encryption
    • Confidential computing guarantees

Migration Strategy

The migration follows a phased approach
  1. Assessment and readiness
  2. Target environment preparation
  3. Cryptographic configuration alignment
  4. Key migration or re-keying
  5. Application migration and validation
  6. Cutover and decommissioning

Phase 1 – Assessment and Readiness

Inventory Cryptographic Assets

Identify and document
  • Key types (AES, RSA, EC, HMAC, wrapping keys)
  • Key sizes and attributes
  • Key usage (encrypt/decrypt, sign/verify, wrap/unwrap)
  • Key lifecycle state (active, suspended, rotation schedule)
  • HPCS access patterns (PKCS#11 vs GREP11)

Application Dependency Analysis

For each application
  • HSM interface used (For example, GREP11, PKCS11)
  • Sessions per second and performance requirements
  • Latency sensitivity
  • Compliance requirements (For example, PCI DSS, GDPR, financial regulations)

Migration Model Decision

Decide per application and key set
  • Key migration (export/import where allowed)
  • Logical migration (re-key and re-encrypt data)

Many HSM deployments or key attributes prohibit raw key export. Hence, wrapping-based migration or re-keying is typically preferred.

Phase 2 – Target Environment Preparation

Deploy IBM Crypto Appliance

To deploy IBM Crypto Appliance, perform the following steps
  1. Install and rack the crypto appliance
  2. Perform initial trusted initialization (TKE or equivalent)
  3. Configure:
    1. Administrative roles
    2. Backup and recovery cards
    3. Audit logging

Deploy CCRT On-Premises

To deploy CCRT, perform the following steps
  1. Install CCRT infrastructure
  2. Configure secure networking between CCRT and crypto appliance
  3. Enable confidential workload support

Enable GREP11 Service

To enable GREP11 service, perform the following steps
  1. Configure GREP11 endpoint on the crypto appliance
  2. Define GREP11 domains and roles
  3. Validate connectivity from CCRT workloads

Phase 3 – Cryptographic Configuration Alignment

Policy Alignment

Ensure consistency between cloud and on-premises environments
  • Key usage policies
  • Rotation requirements
  • Audit and logging rules
  • Access control models

Namespace and Object Mapping

Map
  • HPCS key IDs → GREP11 object labels
  • HPCS IAM roles → GREP11 roles and certificates
  • Tenants / resource groups → GREP11 domains

Phase 4 – Key Migration or ReKeying

Option A: Wrapped Key Migration

If allowed by policy
  1. Create a symmetric or asymmetric wrapping key in both environments
  2. Export keys from HPCS in wrapped form
  3. Import wrapped keys into GREP11
  4. Verify attributes and usage flags

Option B: ReKey and Data ReEncryption (Recommended)

Perform the following steps
  1. Generate new keys in onprem GREP11
  2. Update applications to support dual-key operation
  3. Gradually re-encrypt data with new keys
  4. Retire old HPCS-backed keys

Phase 5 – Application Migration and Validation

Application Configuration Changes

- Update HSM endpoints 
- Update certificates and trust stores 
- Adjust session pooling and retry logic 

Functional Validation

Validate
  • Cryptographic operations
  • Error handling
  • Failover behavior
  • Audit event generation

Performance and Load Testing

- Measure latency and throughput 
- Tune GREP11 connection settings 
- Validate appliance capacity planning

Phase 6 – Cutover and Decommissioning

Cutover Execution

- Freeze key changes in HPCS 
- Switch production traffic to CCRT 
- Monitor logs and metrics closely

Decommission Cloud Resources

- Disable applications’ access to HPCS 
- Destroy or archive cloud keys per compliance policy 
- Retain audit logs for regulatory retention periods 

Security, Compliance, and Operational Considerations

- Maintain separation of duties (admins vs crypto officers) 
- Regularly back up GREP11 keys using secure mechanisms 
- Test disaster recovery procedures 
- Update SOPs and operational runbooks 

Risks and Mitigations

Risks and Mitigations
Risk Mitigation
Non-exportable keys Use re-keying strategy
Performance regression Pre-cutover load testing
Operational errors Dual-control and change management
Compliance gaps Early audit and policy review

Summary

Migrating from IBM Cloud HPCS to CCRT solution with Crypto Appliance and GREP11 provides greater control, data residency assurance, and isolation. A phased migration approach focusing on policy alignment, secure key handling, and thorough validation minimizes risk and ensures continuity of cryptographic operations.