Regions and locations

You can connect your applications with the IBM Cloud® Hyper Protect Crypto Services by specifying a regional service endpoint.

Available regions

Hyper Protect Crypto Services is available in the following regions and locations:

Dallas, US: us-south
Frankfurt, Germany: eu-de
London, UK: eu-gb - Based on the IBM Cloud Virtual Private Cloud (VPC) infrastructure
Madrid, Spain: eu-es - Based on the IBM Cloud Virtual Private Cloud (VPC) infrastructure
São-Paulo, Brazil: br-sao - Based on the IBM Cloud Virtual Private Cloud (VPC) infrastructure
Sydney, Australia: au-syd - Deprecated
Tokyo, Japan: jp-tok - Based on the IBM Cloud Virtual Private Cloud (VPC) infrastructure
Toronto, Canada: ca-tor - Based on the IBM Cloud Virtual Private Cloud (VPC) infrastructure
Washington DC, US: us-east

You can create Hyper Protect Crypto Services resources in one of the supported IBM Cloud regions, which represent the geographic area where your Hyper Protect Crypto Services requests are handled and processed. To learn more, see Locations, tenancy, and availability.

Currently, service instances in the eu-es region don't support recovery crypto units. When a service instance is provisioned in other supported regions, you are by default enabled with the option to back up your master keys in the recovery crypto units located in the disaster recovery region. For more information, see Introducing service instance initialization modes.

Connectivity options

Hyper Protect Crypto Services offers two connectivity options for interacting with the service APIs.

Public endpoints: By default, you can connect to resources in your account over the IBM Cloud public network. Your data is encrypted in transit by using the Transport Security Layer (TLS) 1.2 protocol.
Private endpoints: For added benefits, you can also enable virtual routing and forwarding (VRF) and service endpoints for your infrastructure account. When you enable VRF for your account, you can connect to Hyper Protect Crypto Services by using a private IP that is accessible only through the IBM Cloud private network.; To learn how to connect to Hyper Protect Crypto Services by using a private endpoint, see Connecting to Hyper Protect Crypto Services on the IBM Cloud private network.

Service endpoints

If you are managing your Hyper Protect Crypto Services resources programmatically, see the following table to determine the API endpoints to use when you connect to the key management service API, Unified Key Orchestrator, PKCS #11 API, and GREP11 API.

Table 1. Lists public endpoints for interacting with Hyper Protect Crypto Services APIs over IBM Cloud's public network
Region	Public key management service endpoints	Public Unified Key Orchestrator service endpoints	Public GREP11 service endpoints
Dallas	`api.us-south.hs-crypto.cloud.ibm.com`	`uko.us-south.hs-crypto.cloud.ibm.com`	`ep11.us-south.hs-crypto.cloud.ibm.com`
Frankfurt	`api.eu-de.hs-crypto.cloud.ibm.com`	`uko.eu-de.hs-crypto.cloud.ibm.com`	`ep11.eu-de.hs-crypto.cloud.ibm.com`
London	`api.eu-gb.hs-crypto.cloud.ibm.com`	`uko.eu-gb.hs-crypto.cloud.ibm.com`	`ep11.eu-gb.hs-crypto.cloud.ibm.com`
Madrid	`api.eu-es.hs-crypto.cloud.ibm.com`	`uko.eu-es.hs-crypto.cloud.ibm.com`	`ep11.eu-es.hs-crypto.cloud.ibm.com`
São-Paulo	`api.br-sao.hs-crypto.cloud.ibm.com`	`uko.br-sao.hs-crypto.cloud.ibm.com`	`ep11.br-sao.hs-crypto.cloud.ibm.com`
Sydney - Deprecated	`api.au-syd.hs-crypto.cloud.ibm.com`	`uko.au-syd.hs-crypto.cloud.ibm.com`	`ep11.au-syd.hs-crypto.cloud.ibm.com`
Tokyo	`api.jp-tok.hs-crypto.cloud.ibm.com`	`uko.jp-tok.hs-crypto.cloud.ibm.com`	`ep11.jp-tok.hs-crypto.cloud.ibm.com`
Toronto	`api.ca-tor.hs-crypto.cloud.ibm.com`	`uko.ca-tor.hs-crypto.cloud.ibm.com`	`ep11.ca-tor.hs-crypto.cloud.ibm.com`
Washington DC	`api.us-east.hs-crypto.cloud.ibm.com`	`uko.us-east.hs-crypto.cloud.ibm.com`	`ep11.us-east.hs-crypto.cloud.ibm.com`

Table 2. Lists private endpoints for interacting with Hyper Protect Crypto Services APIs over IBM Cloud's private network
Region	Private key management service endpoints	Private GREP11 service endpoints
Dallas	`api.private.us-south.hs-crypto.cloud.ibm.com`	`ep11.private.us-south.hs-crypto.cloud.ibm.com`
Frankfurt	`api.private.eu-de.hs-crypto.cloud.ibm.com`	`ep11.private.eu-de.hs-crypto.cloud.ibm.com`
London	`api.private.eu-gb.hs-crypto.cloud.ibm.com`	`ep11.private.eu-gb.hs-crypto.cloud.ibm.com`
Madrid	`api.private.eu-es.hs-crypto.cloud.ibm.com`	`ep11.private.eu-es.hs-crypto.cloud.ibm.com`
São-Paulo	`api.private.br-sao.hs-crypto.cloud.ibm.com`	`ep11.private.br-sao.hs-crypto.cloud.ibm.com`
Sydney - Deprecated	`api.private.au-syd.hs-crypto.cloud.ibm.com`	`ep11.private.au-syd.hs-crypto.cloud.ibm.com`
Tokyo	`api.private.jp-tok.hs-crypto.cloud.ibm.com`	`ep11.private.jp-tok.hs-crypto.cloud.ibm.com`
Toronto	`api.private.ca-tor.hs-crypto.cloud.ibm.com`	`ep11.private.ca-tor.hs-crypto.cloud.ibm.com`
Washington DC	`api.private.us-east.hs-crypto.cloud.ibm.com`	`ep11.private.us-east.hs-crypto.cloud.ibm.com`

New endpoints

If you create instances after the corresponding availability date in the following regions, you need to use the listed new API endpoints.

Table 3. New public endpoints for supported regions
Region	Availability date	Public key management service endpoints	Public Unified Key Orchestrator service endpoints	Public GREP11 service endpoints
Washington DC	April 12, 2024	`<INSTANCE_ID>.api.us-east.hs-crypto.appdomain.cloud`	`<INSTANCE_ID>.uko.us-east.hs-crypto.appdomain.cloud`	`<INSTANCE_ID>.ep11.us-east.hs-crypto.appdomain.cloud`

Table 4. New private endpoints for supported regions
Region	Availability date	Public key management service endpoints	Public GREP11 service endpoints
Washington DC	April 12, 2024	`<INSTANCE_ID>.api.private.us-east.hs-crypto.appdomain.cloud`	`<INSTANCE_ID>.ep11.private.us-east.hs-crypto.appdomain.cloud`

For more information about authenticating with Hyper Protect Crypto Services, see the following topics: