Configure IBM Cloud Hyper Protect Crypto Services (HPCS)
In this section, you can find details on how to configure HPCS and add IBM Cloud Hyper Protect Crypto Services (HPCS) as a keystore in Data Security Broker Manager.
Overview
IBM Cloud Hyper Protect Crypto Services offers a cloud hardware security module (HSM) and key management service. It aims to give you control over your cloud hardware security models and cloud data encryption keys as it is the only service in the market built on FIPS 140-2 Level 4-certified hardware.
The HPCS service, which is based on IBM LinuxONE technology, helps to guarantee that only you have access to your keys. Using a dedicated customer-controlled HSM that provides single-tenant key management and key vaulting makes it simple to create encryption keys. You can also bring your own encryption keys to manage instead.
Configure HPCS instance:
Configure IBM Cloud Hyper Protect Crypto Services by following the steps below.
- Get an IBM HPCS Instance ID in one of the following ways:
- Using the IBM CLI – Login to your IBM CLI and execute the following command:
ibmcloud resource service-instance 'HPCS-DSB-1'
Note: If you are using the IBM Cloud web console, navigate to Services and Software and select the HPCS instance. The GUID is displayed in the sidebar and the instanceID is the same as the GUID. 2. Create and retrieve API Key, in the following way: a) Open a web browser and navigate to https://cloud.ibm.com/iam/apikeys. b) Select Create an IBM Cloud API Key and provide a name for the key. c) Copy or download the key after it is created. 3. Create Cloud Object Storage in the resource group. 4. Create a Bucket in the COS instance, for example: dsb-ibm-bucket 5. Generate Service Credentials for the COS Bucket. 6. In Object Storage, click on Service Credentials in the side panel. Click New Credential. 7. Enable HMAC and click Add. 8. The next step is to add the IBM Cloud Hyper Protect Crypto Services as a keystore in Data Security Broker Manager.
Add IBM Cloud Hyper Protect Crypto Services as a keystore in Data Security Broker Manager
You can add the IBM Cloud Hyper Protect Crypto Services instance as a keystore in Data Security Broker Manager by completing the following steps.
- Log into Data Security Broker Manager.
- Select Keystores from the left navigation and click Add Keystore +.
- Specify a name for the Keystore in the Keystore name field and provide a valid description in the Description field and select IBM Cloud Hyper Protect Crypto Services in the Keystore Type drop-down list.
- Enter the Instance ID for the HPCS KeyProtect Instance, which is obtained from the Step 1 in configuring the HPCS instance.
- For App Namespace, enter a string to identify the application.
- For IBM Cloud Hyper Protect Crypto Services Alias, get the Alias name of the Key which has been created in the HPCS instance.
- For the IAM API Key, use the key you created using Step 2 in Configuring the HPCS section.
- For IBM region, specify the region for the IBM Cloud Hyper Protect Crypto Services instance.
- For the IBM Cloud Object Storage URL, specify the IBM endpoint URL for COS, for example: https://s3.us-south.cloud-object-storage.appdomain.cloud
- Enter the cos_hmac_keys for the Access Key ID and Secret Key.
- Click Add Keystore.