IBM Cloud Docs
Overview - Standard Plan

Overview - Standard Plan

IBM Cloud® Hyper Protect Crypto Services is a dedicated key management service and Hardware Security Module (HSM)A physical appliance that provides on-demand encryption, key management, and key storage as a managed service. that provides you with the Keep Your Own Key capability for cloud data encryption. Built on FIPS 140-2 Level 4 certified hardware, Hyper Protect Crypto Services provides you with exclusive control of your encryption keys.

Watch the following video to learn how Hyper Protect Crypto Services provides you with exclusive encryption key control and data protection in the cloud:

Why IBM Cloud Hyper Protect Crypto Services?

Data and information security is crucial and essential for IT environments. As more data moves to the cloud, keeping data protected becomes a nontrivial challenge. Built on IBM LinuxONE technology, Hyper Protect Crypto Services helps ensure that only you have access to your keys and data. A single-tenant key management service that is provided by dedicated customer-controlled HSMs helps you easily create and manage your encryption keys. Alternatively, you can bring your own encryption keys to the cloud. The service uses the same key-provider API as Key Protect, a multi-tenant key management service, to provide a consistent approach to adopting IBM Cloud services.

Hyper Protect Crypto Services is a dedicated HSM that is controlled by you. IBM Cloud administrators have no access. The service is built on FIPS 140-2 Level 4-certified hardware, the highest offered by any cloud provider in the industry. IBM is the first to provide cloud command-line interface (CLI) for HSM master keyAn encryption key that is used to protect a crypto unit. The master key provides full control of the hardware security module and ownership of the root of trust that encrypts the chain keys, including the root key and standard key. initialization to help enable you to take ownership of the cloud HSM. You can also load the master key with the IBM Hyper Protect Crypto Services Management Utilities. The Management Utilities create and store your master key parts on smart cards and never exposes your secrets to the workstation and cloud, thus ensuring the highest level of protection to your secrets.

Hyper Protect Crypto Services can integrate with IBM Cloud data and storage services as well as VMware® vSphere® and VSAN, for providing data-at-rest encryption.

The managed cloud HSM supports the industry-standard cryptographic operations by using the Public-Key Cryptography Standards (PKCS) #11. You don't need to change your existing applications that use PKCS #11 standard to make it run in the Hyper Protect Crypto Services environment. The PKCS #11 library accepts the PKCS #11 API requests from your applications and remotely accesses the cloud HSM to execute the corresponding cryptographic functions, such as digital signing and validation.

Enterprise PKCS #11 over gRPC (GREP11) is also supported by Hyper Protect Crypto Services. The EP11 library provides an interface similar to the industry-standard PKCS #11 application programming interface (API).

With the built-in encryption of Hyper Protect Crypto Services, you can easily build cloud applications with sensitive data. Hyper Protect Crypto Services provides you with complete control of your data and encryption keys, including the master key. The service also helps your business meet regulatory compliance with the technology that provides exclusive controls on the external and privileged user access to data and keys.

How does Hyper Protect Crypto Services work?

The following items are a few highlights of the Hyper Protect Crypto Services architecture:

  • Applications connect to Hyper Protect Crypto Services through the PKCS #11 API or the GREP11 API.
  • Dedicated keystore in Hyper Protect Crypto Services is provided to ensure data isolation and security. Privileged users are locked out for protection against abusive use of system administrator credentials or root user credentials.
  • Secure Service Container (SSC) provides the enterprise level of security and impregnability that enterprise customers expect from IBM LinuxONE technology.
  • FIPS 140-2 Level 4 compliant cloud HSM is enabled for highest physical protection of secrets.

For an architectural diagram of Hyper Protect Crypto Services, see Service architecture, workload isolation, and dependencies.

Key features

Hyper Protect Crypto Services provides both key management and cloud HSM functions:

Key management service

  • Key lifecycle management

    Hyper Protect Crypto Services provides a single-tenant key management service to create, import, rotate, and manage keys with the standardized API. After the encryption keys are deleted, you can be assured that your data is no longer retrievable.

  • Encryption for IBM Cloud data and workload services

    By integrating with other IBM Cloud services, Hyper Protect Crypto Services offers the capability of bringing your own encryption to the cloud. The service provides double-layer protection for your cloud data by wrapping the encryption keys that are associated with your cloud services.

  • Access management and auditing

    Hyper Protect Crypto Services integrates with Cloud Identity and Access Management (IAM) to enable your granular control over user access to service resources. For more information, see Managing user access.

    You can also monitor and audit events and activities of Hyper Protect Crypto Services by using IBM Cloud Activity Tracker. For more information, see Auditing events for Hyper Protect Crypto Services.

Cloud hardware security module

  • Customer-controlled HSM

    With Keep Your Own Key, you can take the ownership of the HSM through assigning your own administrators and loading master keys with Hyper Protect Crypto Services. This ensures your full control of the entire key hierarchy with no access even from IBM Cloud administrators.

  • Cryptographic operations

    Hyper Protect Crypto Services supports the standard PKCS #11 API and the Enterprise PKCS #11 over gRPC (GREP11) API for cryptographic operations. The operations include generating keys, encrypting and decrypting data, signing data, and verifying signatures. The cryptographic functions are executed in HSMs and can be accessed through APIs to provide hardware-based protection for your applications.

  • Security certification

    The service is built on FIPS 140-2 Level 4-certified hardware, the highest security level that is offered in the industry. The HSM is also certified to meet the Common Criteria Part 3 conformant EAL 4.

What's next