Release notes for Hyper Protect Crypto Services

BYOHSM extends your local key management capability to the cloud and creates a scalable, unified, and secure hybrid cloud ecosystem for your regulated workloads. By connecting your own HSMs to your Hyper Protect Crypto Services instance, you have complete physical control over your keys to meet the data sovereignty regulations.

The following topics can help you get started with the BYOHSM function:

• Introducing Bring Your Own HSM
• Managing your keys with BYOHSM in IBM Cloud Hyper Protect Crypto Services
• Setting up BYOHSM
• Provisioning an instance with BYOHSM

Hyper Protect Crypto Services and Hyper Protect Virtual Servers for Classic will be deprecated from the IBM Cloud data center in Sydney. New instances of Hyper Protect Services can no longer be deployed in the IBM Cloud data center in Sydney after 30 November 2023, and existing Hyper Protect services and support in the IBM Cloud data center in Sydney will be decommissioned and discontinued on 31 March 2024.

This announcement does not impact any other services running in the IBM Cloud data center in Sydney, or any other Hyper Protect Services, including support, running in any other data centers where Hyper Protect is supported.

Review the following details for this deprecation:

• Effective 30 November 2023, no new instances of Hyper Protect Crypto Services or Hyper Protect Virtual Servers for Classic can be provisioned in Sydney.
• Effective 31 March 2024, Hyper Protect Crypto Services and Hyper Protect Virtual Servers for Classic will no longer be supported, and the services will be decommissioned from the IBM Cloud data center in Sydney. It is recommended that all instances and data be migrated to an IBM Cloud VPC data center.
• Any Hyper Protect Services instances and data still present in the IBM Cloud data center in Sydney will be stopped and terminated on this date. The data center infrastructure will be decommissioned and data and services no longer available. To avoid the risk of data loss, ensure a backup or transfer of any required data is taken before the service is decommissioned on 31 March 2024.

For existing customers, migration to an IBM Cloud VPC data center is recommended:

• To continue using Hyper Protect Crypto Services, it is recommended to migrate to an IBM Cloud VPC data center. The recommended region for migration within APAC is Tokyo.
• For Hyper Protect Virtual Servers for Classic instances, it is recommended to migrate to an IBM Cloud VPC data center, as well as deploy the latest version of the service, Hyper Protect Virtual Servers for VPC (Hyper Protect Virtual Servers for Classic is not available in IBM Cloud VPC data centers). The recommended region for migration within APAC is Tokyo.
• To migrate to an IBM Cloud VPC Data center, support from IBM Team will be available. Contact your local sales representative or send an email to zaas.client.acceleration@ibm.com for more information.

The following table lists the supported IBM Cloud VPC data centers for Hyper Protect Crypto Services and Hyper Protect Virtual Servers for Classic:

Table 1. Supported IBM Cloud VPC data centers

Data center	Hyper Protect Crypto Services	Hyper Protect Virtual Servers for Classic
Tokyo (Recommended region within APAC) jp-tok
São-Paulo br-sao
London eu-gb
Toronto ca-tor
Madrid eu-es
Washington DC us-east	N/A

You are now able to create key templates which specify the properties of the managed keys to be created. After you create the key template, you can then create a group of managed keys with the same key properties that are defined in the key template.

The following topics can help you get started with key templates:

• Creating key templates
• Viewing a list of key templates
• Editing key template details
• Archiving and unarchiving key templates
• Deleting key templates
• Realigning keys with key templates

The pricing plan has been updated for Unified Key Orchestrator. You can find more details on the service catalog page.

For a detailed pricing sample, see How am I charged for my use of Hyper Protect Crypto Services with Unified Key Orchestrator?.

You are now able to rotate master keys when you are using the Unified Key Orchestrator service plan or your service instance that has EP11 keystores enabled in all supported regions. Previously, it was only available in Frankfurt, Germany.

For a list of supported regions, see Regions and locations. For more information about how master key rotation works, see Master key rotation introduction.

The Hyper Protect Crypto Services key management service API is updated to version 22.11. The following functions are added:

• List Keys with sorting to include lastRotateDate sorting.
• List Keys with advanced filtering to including lastRotateDate filtering.
• Create key with policy overrides to enable users with Manager role to create keys with policies in a single call, overriding instance level policies.
• Disable a key rotation policy to allow an automatic key rotation policy to be paused temporarily.

Find the latest event names and mapping in Historical information regarding events.

To manage your master keys by using smart cards, you can now install the smart card reader driver Identiv SPR332 V2 on Red Hat Enterprise Linux 9.0 and Ubuntu 22.04.1 LTS besides the already supported Red Hat Enterprise Linux 8.0 operating system. For more detailed steps, see Installing the smart card reader driver.

You can also find the latest Management Utilities installation files in Github.

You can now manage your keys by using the Unified Key Orchestrator API with the Go software development kit (SDK) enabled. For more code examples in Go, see Unified Key Orchestrator API reference.

With the Terraform support for Unified Key Orchestrator, you can now automate actions, such as managing vaults, keystores, key templates, and keys, by using Terraform. For more information, see Setting up Terraform for Hyper Protect Crypto Services with Unified Key Orchestrator.

The pricing model of the Hyper Protect Crypto Services standard plan is now changed from monthly billing to hourly billing with each crypto unit charged $2.13 USD per hour.

The first five keystores, including KMS key rings and EP11 keystores, are free of charge. Each additional key ring or EP11 keystore is charged with a tiered pricing starting at $225 USD per month. For keystores that are created or connected less than a month, the cost is prorated based on actual days within the month.

For more information, see the pricing plan. A billing example is also available for your reference.

To order smart cards and smart card readers, you can now email IBM at zcat@ibm.com@ibm.com and provide necessary information. For detailed steps, see Setting up smart cards and the Management Utilities.

Unified Key Orchestrator is a public cloud control plane for multicloud and hybrid cloud key orchestration. As part of the IBM Cloud® Hyper Protect Crypto Services, it provides key lifecycle management according to NIST recommendations and secure transfer of keys to internal keystores in the service instance or external keystores.

With Unified Key Orchestrator, you can connect your service instance to keystores in IBM Cloud and third-party cloud providers, back up and manage keys by using a unified system, and orchestrate keys across multiple clouds.

The following topics can help you get started with Unified Key Orchestrator:

• Introducing Unified Key Orchestrator
• FAQs: Hyper Protect Crypto Services with Unified Key Orchestrator
• Getting started with Hyper Protect Crypto Services
• Monitoring the lifecycle of encryption keys in Unified Key Orchestrator
• Creating vaults
• Creating internal keystores
• Connecting to external keystores
• Creating and installing managed keys

Unified Key Orchestrator is a public cloud control plane for multicloud and hybrid cloud key orchestration. As part of the IBM Cloud® Hyper Protect Crypto Services, it provides key lifecycle management according to NIST recommendations and secure transfer of keys to internal keystores in the service instance or external keystores.

With Unified Key Orchestrator, you can connect your service instance to keystores in IBM Cloud and third-party cloud providers, back up and manage keys by using a unified system, and orchestrate keys across multiple clouds.

The following topics can help you get started with Unified Key Orchestrator:

• Introducing Unified Key Orchestrator
• FAQs: Hyper Protect Crypto Services with Unified Key Orchestrator
• Getting started with Hyper Protect Crypto Services
• Monitoring the lifecycle of encryption keys in Unified Key Orchestrator
• Creating vaults
• Creating internal keystores
• Connecting to external keystores
• Creating and installing managed keys

1. Purge a deleted key: By default, a deleted key becomes purged automatically after 90 days of the deletion. Now you can manually purge a key to permanently remove the key from your instance before 90 days. After a key is deleted, there is a wait period of up to 4 hours before you can perform the action. Make sure that you are assigned the KMS Key Purge role before you purge a key. For more information, see Purging keys manually.
2. Update the key ring of a key: After you create a key, you can move the key to a different key ring. For more information, see Transferring a key to a different key ring.

Besides rotating your master key using key part files and using recovery crypto units, you can now also rotate the master key if you are using smart cards and the Management Utilities.

For detailed instructions, see Rotating master keys by using smart cards and the Management Utilities. For more information about how master key rotation works, see Rotating master keys by using key part files.

Now you can restore keys that were deleted within 30 days without providing any key materials. All root keys and standard keys, whether generated by Hyper Protect Crypto Services or imported by you, can be restored. For more information, see Restoring keys.

You can now group the keys in your Hyper Protect Crypto Services instance by creating a key ring. In this case, you can manage keys and control access at the key ring level. For how to use key rings, see Managing key rings.

Besides using smart cards and the Hyper Protect Crypto Services Management Utilities and using key part files, you can now also initialize your service instance by using recover crypto units in the Dallas (us-south) and Washington DC (us-east) regions.

When you provision a service instance in either of the Dallas or Washington DC region, two recovery units are automatically assigned without extra costs. A random master key value is automatically generated in a recovery crypto unit and copied to the other crypto units for the service instance. The master key value never appears in the clear outside of the HSMs.

For more information about the differences between the service instance initialization approaches, see Introducing service instance initialization approaches.

For detailed instructions, see Initializing service instances with recovery crypto units.

To rotate your master key, see Rotating master keys by using recovery crypto units.

Apart from using the PKCS #11 API to manage Enterprise PKCS #11 (EP11) keystores and keys, you can now use the UI to view, create, and delete EP11 keystores and keys. For more information, see Managing EP11 keystores with the UI and Managing EP11 keys with the UI.

Key aliases are unique human-readable names that can be used to identify a key. You can now create up to five aliases for a key for easy recognition. For how to use key aliases, see Managing key aliases.

When the state of a root key changes, the protected resources that are associated with the root key are notified of the key lifecycle event and are encouraged to respond accordingly. In the case where the resources do not respond to the key lifecycle notification, you can now manually initiate a renotification to those associated cloud services. For more information, see Synchronizing associated resources.

You can now create virtual private endpoints (VPEs) for your IBM Cloud Virtual Private Cloud (VPC) instance to access Hyper Protect Crypto Services within your VPC network. For more information, see Using a virtual private endpoint for VPC.

The cryptography algorithm to generate signature keys is updated from Rivest-Shamir–Adleman 2048 (RSA 2048) to P521 Elliptic Curve (P521 EC). The cryptographic strength of P521 EC keys is equivalent to RSA 15360, which means the updated signature keys can provide the higher level of security comparing to the previous signature keys. The previous RSA 2048 signature keys are still valid and can be used.

To ensure that no tampering has occurred to the keys that are stored in the Hyper Protect Crypto Services instance by using the PKCS #11 API, a key verification mechanism is now provided for you to check the key objects that are stored in Hyper Protect Crypto Services. For instructions on how to verify key objects, see Verifying that keys are protected by crypto units.

For an example of how to retrieve checksum values for AES, DES2, and DES3 keys along with the verification of the key checksums, see the code sample.

Hyper Protect Crypto Services now supports the Schnorr algorithm, which can be used as a signing scheme to generate digital signatures. It is proposed as an alternative algorithm to the Elliptic Curve Digital Signature Algorithm (ECDSA) for cryptographic signatures in the Bitcoin system. Before you can use the Schnorr algorithm, make sure to enable this feature by following the instructions in Enabling the Schnorr algorithm.

After you set up your Hyper Protect Crypto Services instance, you can enable and update the key create and import access policy to control actions permissions for root keys and standard keys. For more information, see Managing the key create and import access policy.

To achieve increased security, you can now limit the network access to your service instance to the private-only network. You can either choose the allowed network when you provision the service instance or update the network access policy after you set up the instance.

Before you update the network access policy, you need to initialize the service instance first. See Initializing service instances with the IBM Cloud TKE CLI plug-in or Initializing service instances by using smart cards and the Management Utilities for instructions.

The GREP11 API now supports the ReencryptSingle function, which enables you to decrypt data with the original key and then encrypt the raw data with a different key in a single call within the cloud HSM. This single call is a viable option where a large amount of data needs to be reencrypted with different keys, and bypasses the need to perform a combination of DecryptSingle and EncryptSingle functions for each data item that needs to be reencrypted. For more information, see GREP11 API reference - ReencryptSingle function.

You can now connect your IBM Cloud Virtual Private Cloud (VPC) instance to your Hyper Protect Crypto Services instance through a virtual private endpoint (VPE) gateway, so that you can manage your keys by using Hyper Protect Crypto Services through a private network. For more information, see Using virtual private endpoints for VPC to privately connect to Hyper Protect Crypto Services.

Hyper Protect Crypto Services now supports the SLIP10 mechanism for hierarchical deterministic wallets to derive private and public key pairs. It now also supports the Edwards-curve (ED) 25519 algorithm for digital signatures. Before you can use the ED algorithm, make sure to enable this feature by following the instructions in Enabling Edwards-curve Digital Signature Algorithm.

Terraform is an open source software to configure and automate cloud resource provisioning and management. Now you can provision and initialize Hyper Protect Crypto Services instances, as well as managing root keys and standard keys with the Terraform CLI and the IBM Cloud Provider plug-in. For more information, see Managing key management service resources with Terraform and the sample Terraform template for Hyper Protect Crypto Services.

The Hyper Protect Crypto Services key management service API is updated with the following changes:

• Updated: The API methods for the following key actions are now transferred to individual request paths. The generic path format (except the action of restoring a key) is /api/v2/keys/<key_ID>/actions/<action> where key_ID is the UUID of the key and action is the action name that you want to execute.

  • Wrap a key.
  • Unwrap a key.
  • Rewrap a key.
  • Rotate a key.
  • Authorize deletion for a key with a dual authorization policy.
  • Remove an authorization for a key with a dual authorization policy.
  • Enable operations for a key.
  • Disable operations for a key.
  • Restore a key.

• Updated: You can now use the following two methods to manage the allowed network policy and the key create and import access policy:

  • Set instance policies.
  • List instance policies.

• Deprecated: Invoke an action on a key.

  This method is originally used for performing actions on a key, such as wrap, unwrap, and rotate. It is now replaced with individual request path for each action.

For more information about the API updates, see Hyper Protect Crypto Services key management service API reference.

You can now rotate your master key on demand by using the IBM Cloud® Trusted Key Entry CLI plug-in so as to meet industry standards and cryptographic best practices. For more information about how it works, see Master key rotation introduction.

For the detailed instructions, see Rotating master keys.

Hyper Protect Crypto Services now supports performing cryptographic operations with the standard Public-Key Cryptography Standards (PKCS) #11 API.

With the support of PKCS #11 API, you don not need to change your existing applications that use PKCS #11 standard to make it run in the Hyper Protect Crypto Services cloud HSM environment. The PKCS #11 library accepts the PKCS #11 API requests from your applications and remotely accesses the cloud HSM to execute the corresponding cryptographic functions.

For more information about the PKCS #11 API use cases, see Using Hyper Protect Crypto Services as PKCS #11 HSMs.

To learn more about the PKCS #11 API, see Introducing PKCS #11 and PKCS #11 API reference.

If you have Writer or Manager access permissions, you can now create import tokens to enable added security for encryption keys that you upload to Hyper Protect Crypto Services.

To find out more about your options for importing keys, check out Creating import tokens. For a guided tutorial, see Tutorial: Creating and importing encryption keys.

Hyper Protect Crypto Services, built on FIPS 140-2 Level 4-compliant HSM, now supports the same level of key management functions as Key Protect. The added functions are as follows:

• Policy-based key rotation.
• Viewing root key versions.
• Disabling and enabling root keys.
• Dual authorization policies for Hyper Protect Crypto Services instances and keys.
• Viewing details about an encryption key.
• Viewing associations between root keys and IBM Cloud resources.
• Restoring a deleted key.

You can now create Hyper Protect Crypto Services resources in the Washington DC (US East) region. For more information, see Regions and locations.

Both the IBM Cloud Trusted Key Entry (TKE) command-line interface (CLI) plug-in and the Hyper Protect Crypto Services Management Utilities now support quorum authentication.

Quorum authentication is the way to approve an operation by a set number of crypto unit administrators. Some sensitive operations require a sufficient number of crypto unit administrators to enter their credentials. Setting the signature thresholds to a value greater than one enables quorum authentication.

For more information about how to initialize a service instance by using the TKE CLI and enable quorum authentication, see Initializing service instances with the IBM Cloud TKE CLI plug-in.

For more information about how to initialize a service instance by using the Management Utilities and enable quorum authentication, see Setting up smart cards and the Management Utilities and Initializing service instances by using smart cards and the Management Utilities.

You can now connect to Hyper Protect Crypto Services over the IBM Cloud private network by targeting a private endpoint for the Enterprise PKCS #11 service.

To get started, enable virtual routing and forwarding (VRF) and service endpoints for your infrastructure account. For more information, see Using private endpoints.

Hyper Protect Crypto Services now supports loading master key parts and signature keys from smart cards for service instance initialization. It ensures the highest level of protection for master key parts and signature keys.

The Management Utilities are two applications that use smart cards to configure service instances. The Smart Card Utility Program sets up and manages the smart cards used. The Trusted Key Entry (TKE) application uses those smart cards to configure service instances. To use the Management Utilities, you need to order IBM-supported smart cards and smart card readers.

For more information, see Understanding the Management Utilities and Initializing service instances by using smart cards and the Management Utilities.

Hyper Protect Crypto Services can now be integrated with more IBM Cloud services:

• Hyper Protect DBaaS for MongoDB
• Hyper Protect DBaaS for PostgreSQL
• HyTrust DataControl
• IBM Cloud Kubernetes Service
• Red Hat OpenShift on IBM Cloud

For more information, see Integrating services.

You can now connect to Hyper Protect Crypto Services over the IBM Cloud private network by targeting a private endpoint for the service.

To get started, enable virtual routing and forwarding (VRF) and service endpoints for your infrastructure account. For more information, see Using service endpoints to privately connect to Hyper Protect Crypto Services.

The managed Cloud Hardware Security Module (HSM) supports Enterprise Public-Key Cryptography Standards (PKCS) #11, so your applications can integrate cryptographic operations like digital signing and validation through Enterprise PKCS #11 (EP11) API. The EP11 library provides an interface similar to the industry-standard PKCS #11 API.

Hyper Protect Crypto Services provides a set of Enterprise PKCS #11 (EP11) over gRPC API calls (also referred to as GREP11), with which, all the Crypto functions are executed in HSM on cloud. GREP11 is a stateless interface for cloud programs.

For more information about the GREP11 API, see Introducing EP11 over gRPC and GREP11 API reference.

You can now create Hyper Protect Crypto Services resources in the Frankfurt region. For more information, see Regions and locations.

Hyper Protect Crypto Services can now be integrated with the following IBM Cloud services:

• IBM Cloud Object Storage
• IBM Cloud Block Storage for Classic for Virtual Private Cloud
• IBM Cloud Virtual Servers for Virtual Private Cloud
• Key Management Interoperability Protocol (KMIP) for VMware® on IBM Cloud

For more information, see Integrating services.

As of 29 March 2019, provisioning new Hyper Protect Crypto Services Beta instances will no longer be possible. Existing instances will have support until the End of Beta Support Date (30 April 2019).

For more information about the Hyper Protect Crypto Services offering, see the IBM Cloud Hyper Protect Crypto Services home page.

IBM Cloud Hyper Protect Crypto Services, which now supports three availability zones in a selected region, is a highly available service with automatic features that help keep your applications secure and operational.

You can create Hyper Protect Crypto Services resources in the supported IBM Cloud regions, which represent the geographic area where your Hyper Protect Crypto Services requests are handled and processed. Each IBM Cloud region contains multiple availability zones to meet local access, low latency, and security requirements for the region.

For more information, see High availability and disaster recovery.

The service instance can be scaled out to a maximum of six crypto units to meet your performance requirement. Each crypto unit can crypto-process 5000 keys. In a production environment, it is suggested to select at least two crypto units to enable high availability. By selecting three or more crypto units, these crypto units are distributed among three availability zones in the selected region.

Read Provisioning the service for more information.

Hyper Protect Crypto Services Beta version is released. You can now access the Hyper Protect Crypto Services service through Catalog > Security directly.

As of 5 February 2019, provisioning new Hyper Protect Crypto Services Experimental instances will no longer be possible. Existing instances will have support until the End of Experimental Support Date (5 March 2019).

Key Protect API is now integrated with Hyper Protect Crypto Services to generate and protect your keys. You can call the Key Protect API directly through Hyper Protect Crypto Services.

For more information, see Setting up the key management service API and Hyper Protect Crypto Services key management service API reference.

Hyper Protect Crypto Services now supports Keep Your Own Key (KYOK) so that you have more control and authority over your data with encryption keys that you can keep, control, and manage. You can initialize and manage your service instance with IBM Cloud® command-line interface (CLI).

For more information, see Initializing service instances to protect key storage.

At the current stage, accessing Hyper Protect Crypto Services through an Advanced Cryptography Service Provider (ACSP) client is being deprecated. If you are using a previous service instance, you can still use ACSP to explore Hyper Protect Crypto Services.