Migrating Hyper Protect Crypto Services (HPCS) to Confidential Computing Container Runtime (CCRT)
IBM Cloud® Hyper Protect Crypto Services is deprecated. As of 28 March 2026, you can't create new instances, and access to free instances will be removed. Existing premium plan instances are supported until 28 March 2027. Any instances that still exist on that date will be deleted.
This topic describes a structured approach for migrating cryptographic workloads, keys, and applications from IBM Cloud Hyper Protect Crypto Services (HPCS) using CloudHSM to Confidential Computing Container Runtime (CCRT) with IBM Crypto Appliances and GREP11.
This migration topics is intended for security architects, infrastructure engineers, and application owners responsible for HSM-backed key management and cryptographic operations.
Source and Target Architecture Overview
Source: IBM Cloud Hyper Protect Crypto Services (CloudHSM)
- Key characteristics
-
- Fully managed IBM Cloud service
- FIPS 1402 Level 4 certified hardware
- Multitenant service with customer-controlled master key concept (KYOK)
- Access via:
- PKCS#11
- GREP11
- Enterprise Key Management APIs
Target: Confidential Computing Container Runtime (CCRT) + Crypto Express Network API
- Key characteristics
-
- Customer-controlled onpremises environment
- IBM Crypto Appliances (For example, CEX or dedicated Crypto Express hardware)
- GREP11 server exposes GREP11 interface to workloads
- CCRT provides secure, isolated virtual servers with:
- Secure boot
- Memory encryption
- Confidential computing guarantees
Migration Strategy
- The migration follows a phased approach
-
- Assessment and readiness
- Target environment preparation
- Cryptographic configuration alignment
- Key migration or re-keying
- Application migration and validation
- Cutover and decommissioning
Phase 1 – Assessment and Readiness
Inventory Cryptographic Assets
- Identify and document
-
- Key types (AES, RSA, EC, HMAC, wrapping keys)
- Key sizes and attributes
- Key usage (encrypt/decrypt, sign/verify, wrap/unwrap)
- Key lifecycle state (active, suspended, rotation schedule)
- HPCS access patterns (PKCS#11 vs GREP11)
Application Dependency Analysis
- For each application
-
- HSM interface used (For example, GREP11, PKCS11)
- Sessions per second and performance requirements
- Latency sensitivity
- Compliance requirements (For example, PCI DSS, GDPR, financial regulations)
Migration Model Decision
- Decide per application and key set
-
- Key migration (export/import where allowed)
- Logical migration (re-key and re-encrypt data)
Many HSM deployments or key attributes prohibit raw key export. Hence, wrapping-based migration or re-keying is typically preferred.
Phase 2 – Target Environment Preparation
Deploy IBM Crypto Appliance
- To deploy IBM Crypto Appliance, perform the following steps
-
- Install and rack the crypto appliance
- Perform initial trusted initialization (TKE or equivalent)
- Configure:
- Administrative roles
- Backup and recovery cards
- Audit logging
Deploy CCRT On-Premises
- To deploy CCRT, perform the following steps
-
- Install CCRT infrastructure
- Configure secure networking between CCRT and crypto appliance
- Enable confidential workload support
Enable GREP11 Service
- To enable GREP11 service, perform the following steps
-
- Configure GREP11 endpoint on the crypto appliance
- Define GREP11 domains and roles
- Validate connectivity from CCRT workloads
Phase 3 – Cryptographic Configuration Alignment
Policy Alignment
- Ensure consistency between cloud and on-premises environments
-
- Key usage policies
- Rotation requirements
- Audit and logging rules
- Access control models
Namespace and Object Mapping
- Map
-
- HPCS key IDs → GREP11 object labels
- HPCS IAM roles → GREP11 roles and certificates
- Tenants / resource groups → GREP11 domains
Phase 4 – Key Migration or ReKeying
Option A: Wrapped Key Migration
- If allowed by policy
-
- Create a symmetric or asymmetric wrapping key in both environments
- Export keys from HPCS in wrapped form
- Import wrapped keys into GREP11
- Verify attributes and usage flags
Option B: ReKey and Data ReEncryption (Recommended)
- Perform the following steps
-
- Generate new keys in onprem GREP11
- Update applications to support dual-key operation
- Gradually re-encrypt data with new keys
- Retire old HPCS-backed keys
Phase 5 – Application Migration and Validation
Application Configuration Changes
- Update HSM endpoints
- Update certificates and trust stores
- Adjust session pooling and retry logic
Functional Validation
- Validate
-
- Cryptographic operations
- Error handling
- Failover behavior
- Audit event generation
Performance and Load Testing
- Measure latency and throughput
- Tune GREP11 connection settings
- Validate appliance capacity planning
Phase 6 – Cutover and Decommissioning
Cutover Execution
- Freeze key changes in HPCS
- Switch production traffic to CCRT
- Monitor logs and metrics closely
Decommission Cloud Resources
- Disable applications’ access to HPCS
- Destroy or archive cloud keys per compliance policy
- Retain audit logs for regulatory retention periods
Security, Compliance, and Operational Considerations
- Maintain separation of duties (admins vs crypto officers)
- Regularly back up GREP11 keys using secure mechanisms
- Test disaster recovery procedures
- Update SOPs and operational runbooks
Risks and Mitigations
| Risk | Mitigation |
|---|---|
| Non-exportable keys | Use re-keying strategy |
| Performance regression | Pre-cutover load testing |
| Operational errors | Dual-control and change management |
| Compliance gaps | Early audit and policy review |
Summary
Migrating from IBM Cloud HPCS to CCRT solution with Crypto Appliance and GREP11 provides greater control, data residency assurance, and isolation. A phased migration approach focusing on policy alignment, secure key handling, and thorough validation minimizes risk and ensures continuity of cryptographic operations.