Restoring your data from another region
If a regional disaster that affects all available zones occurs, you're notified through the IBM Cloud status web page and an email. In this case, depending on your pricing plan, whether you enable failover crypto units, and your requirements for recovery time, you can restore your data with different options.
Restoring your data by using failover crypto units
If you are using the standard plan, and create your instance in Dallas (us-south
) or Washington DC (us-east
) and you enable failover crypto units, your data is restored automatically to reduce the downtime and data
loss. In this case, you switch to use the failover crypto units in another region to manage your keys and perform cryptographic operations. The failover crypto units contain a backup of all the encryption keys and other resources in the operational
crypto units.
At the same time, IBM repairs your service instance in the original region. If new operational crypto units are required to complete the repair, you will be notified by IBM and you need to load the master key to the new operational crypto units by using recovery crypto units or master key parts. After your original service instance is recovered, IBM automatically redirects traffic back to the original region.
To use failover crypto units to restore data in a regional disaster, make sure that you initialize and configure all the failover crypto units the same as the operational crypto units before the disaster happens. For more information about initialization approaches, see Introducing service instance initialization approaches.
Restoring your data by opening an IBM support ticket
If you don't enable failover crypto units or you are using Hyper Protect Crypto Services with Unified Key Orchestrator, you need to open an IBM support ticket to restore your data. IBM can then provision a new service instance for you in another region by using the same instance ID, and restore all the key resources from the backup. And then, you need to load your master keyAn encryption key that is used to protect a crypto unit. The master key provides full control of the hardware security module and ownership of the root of trust that encrypts the chain keys, including the root key and standard key. to the new service instance in the new region.
In the process, you're the only person who owns the master key. IBM administrators or any third-party users cannot access your data or keys in the backup or the restored service instance.
To restore a backup to an existing service instance, follow these steps:
-
In the UI, click the Help icon > Support center from the UI menu barto enter the Support Center. Click View all in the Recent support cases panel and click Create new case. Or, you can directly go to the Manage cases page and click Create new case.
-
On the Create a case page displayed, select the offering Hyper Protect Crypto Services, and then specify the following values:
Table 1. Describes the fields required for creating a case Field name Action Subject Enter Disaster recovery. Description Enter your service instance ID and the region that your service instance resides in. Selected resources Optional. Select your Hyper Protect Crypto Services service instance. -
Check the Email me updates about this issue box, and click Continue to review > Create case.
When the restore completes successfully, you will get an email notification, which includes the new region information that your service instance resides in. Alternatively, you can check the state by clicking Support. For more information about IBM Support, see Support Center.
-
After you open the ticket, IBM provisions new crypto units for you in another region by using the same instance ID, and restores all the key resources from the backup. And then, you need to load your master key to the new service instance in the new region. Depending on how you store your master key parts, you can follow the instructions in Initializing service instances with the IBM Cloud TKE CLI plug-in or Initializing service instances using smart cards and the Management Utilities.
Make sure to load the same master key to the service instance in the new region so that your key resources can still be accessed.
What's next
- Go to the Manage tab of your instance dashboard to manage root keys and standard keys. To find out more about programmatically managing your keys, check out the Hyper Protect Crypto Services key management service API reference doc.
- To find out more about encrypting your data by using the cloud HSM function of Hyper Protect Crypto Services, check out the PKCS #11 API reference and GREP11 API reference doc.
- Use Hyper Protect Crypto Services as the root key provider for other IBM Cloud services. For more information about integrating Hyper Protect Crypto Services, check out Integrating services.