Using Hyper Protect Crypto Services with Unified Key Orchestrator to manage keys in Key Protect on Satellite

IBM Cloud Satellite provides you with flexibility and scalability to bring your own infrastructures to IBM Cloud. You can run IBM Cloud services anywhere including on your on-prem data centers and other cloud providers. With IBM Cloud Satellite, you can connect your multiple environments to implement distributed cloud solutions to help your enterprise hybrid cloud transformation. Key Protect on Satellite allows you to fully control your encryption keys by using your on-prem hardware security module (HSM). Hyper Protect Crypto Services with Unified Key Orchestrator enables you to manage keys in various key management systems, including Key Protect on Satellite, from a single pane of glass.

In this topic, references to Unified Key Orchestrator refer to Hyper Protect Crypto Services with Unified Key Orchestrator service.

Objectives

This tutorial shows how you can keep complete and exclusive control of your encryption keys by deploying Key Protect in a Satellite location and how you can manage your distributed keys with a unified view by connecting Unified Key Orchestrator to Key Protect on Satellite.

The following diagram illustrates the architecture:

Figure 1. Unified Key Orchestrator connects to Key Protect on Satellite

Before you begin

To complete this tutorial, you need to meet the following prerequisites:

Currently, Key Protect supports user-owned on-prem Satellite locations associated with the IBM Cloud us-east region only. In this tutorial, to reduce network latency, we create other IBM Cloud services needed also in the us-east region.

Read through the About Key Protect on Satellite to understand the products and restrictions.
Create an on-prem Satellite location in us-east.
Create an IBM Cloud Database for PostgreSQL instance in us-east and deploy it in your Satellite location.
Set up two on-prem HSMs to work with Key Protect and gather the information needed for Key Protect on Satellite.
Create an IBM Cloud Activity Tracker instance in us-east for activity logging. You also need to pass the ingestion key to Key Protect during the deployment.
Create a Hyper Protect Crypto Services with Unified Key Orchestrator instance in us-east and initialize the service instance.

Task flow

To complete this solution, let's walk through the following steps:

Deploy Key Protect on Satellite.
Connect Unified Key Orchestrator to Key Protect on Satellite.
Manage Key Protect keys through Unified Key Orchestrator.

Let's start with the deployment of Key Protect on Satellite.

Deploy Key Protect on Satellite

Deploy Key Protect on Satellite by following the instruction.

Connect Unified Key Orchestrator to Key Protect on Satellite

After you deploy Key Protect on Satellite, you can now connect Unified Key Orchestrator to Key Protect to have a unified key management experience.

Log in to the Hyper Protect Crypto Services instance.
Click Keystores from the navigation and click Add keystore.
Under Vault, select a vault for the keystore for access control, and click Next.

If you want to assign the keystore to a new vault, click Create vault. For more instructions, see Creating vaults.
Under Keystore type, select Key Protect and click Next.

Under Keystore properties, specify the details:

Table 1. Key store properties
Property	Description
Keystore name	A unique, human-readable name for easy identification of your keystore, with 1–100 characters in length. The first character must be a letter (case-sensitive) or digit (0–9). The rest can also be symbols (.-_) or spaces. For example, `kp-satellite-tiger`
Description	(Optional) An extended description for your keystore, with up to 200 characters in length. For example, `KP on satellite for project Tiger DB encryption.`
Key Protect API endpoint	The service endpoint of your Key Protect on Satellite in the format of `https://<your-satellite-location>.kms.cloud.ibm.com`. For more information, see Obtaining the Key Protect endpoint.
IBM Cloud Identity and Access Management endpoint	The endpoint of IAM, which is `https://iam.cloud.ibm.com`.
Service instance ID on IBM Cloud	The unique identifier that is assigned to your Key Protect service instance. For more information, see Retrieving your instance ID and cloud resource name.
Service ID API key	A unique code that is passed to an API to identify the calling application. For more information, see Managing service ID API keys.

Optionally, click Test connection to test the connection to the external keystore that you configure. When completed, click Next to continue.

Test connection is an optional step. You can complete the subsequent steps even if the test fails. To adjust the connection settings in case of a connection failure, check and adjust the connection properties.
Under Summary, view the summary of your Key Protect instance and the total estimated cost.
After you confirm the keystore details, click Connect to keystore to connect to the keystore.

Manage Key Protect keys through Unified Key Orchestrator

Now you can use Unified Key Orchestrator to create and activate keys for Key Protect on Satellite to use. With the Keep Your Own Key (KYOK) feature, these keys are protected by master key within the FIPS 140-2 Level 4 HSM boundary and IBM cannot access your keys with technical assurance.

Log in to the Hyper Protect Crypto Services instance.
Click Managed keys from the navigation and click Create key.
Under Vault, select a vault for the key for access control, and click Next.

If you want to assign the key to a new vault, click Create vault. For more instructions, see Creating vaults.
Under General, select IBM Key Protect and click Next.

Under Key properties, specify the following details of the key. Click Next to continue when you are done.

Table 2. Key properties
Property	Description
Key name	A unique, human-readable name for easy identification of your key. For Key Protect keys, it must be 2–50 characters in length. The characters can be letters (case-sensitive), digits (0–9), or spaces. For example, `kp satellite tiger key`.
Description	(Optional) An extended description for your key, with up to 200 characters in length. For example, `KP on satellite keys for project Tiger DB encryption`
Algorithm	The encryption algorithm to encrypt data for the key. For example, `AES`.
Length	The number of bits that represents the encryption strength of the key. For example, `256`.
State	Pre-active keys are not to be activatedin keystores until you manually activate them. Active keys are automatically activated in the keystores. Select `Active` for installation to Key Protect on Satellite.For more information about key states, see Monitoring the lifecycle of encryption keys in Unified Key Orchestrator.
Activation date	Plan a date to activate the Pre-active key. It is for planning purpose only. For this tutorial, you don't need to specify this property as the `Active` state is selected previously. The key will be activated immediately upon its creation.
Expiration date	Plan a date to deactivate the key. It is for planning purpose only.
Key tags	(Optional) Add pairs of names and values to identify your key. For example, `project: tiger`.

Under Keystores, select the Key Protect on Satellite keystore that you create in the previous step.
Under Summary, view the summary of your key, and then click Create key to confirm.

Next steps

Now your Key Protect instance is running in an on-prem Satellite location where encryption keys are protected by your local HSMs. You have exclusive control of your keys and can orchestrate these keys across multiple clouds with Unified Key Orchestrator.

Learn more about Unified Key Orchestrator, see Overview - Hyper Protect Crypto Services with Unified Key Orchestrator.
Learn more about Unified Key Orchestrator API, see Unified Key Orchestrator API reference.