Dedicated security components in an IT infrastructure ensure the protection of data, infrastructure, and processes.

In many cases, providing security in a level beyond software requirements enables secure and reliable use cases. Being in control and being able to express possession of sensitive data often is a prerequisite when an enterprise considers moving data to the cloud. 

Keep Your Own Key (KYOK)

IBM Cloud Hyper Protect Crypto Services introduces the new and powerful concept of Keep Your Own Key (KYOK), which acts as an extension to Bring your Own Key (BYOK). With KYOK, you stay in control of your essential secure key infrastructure at any time, while benefiting from a seamless integration into IBM Cloud services. With IBM Cloud Hyper Protect Services, you fully leverage the proven technology that is co-developed and operated by large enterprises for managing their most sensitive data. 

The cryptographic capabilities of Hyper Protect Crypto Services are built on top of the FIPS 140-2 Level 4 Certified Hardware Security Module. As IBM is starting to provide a new set of capabilities to support your workloads moving to the cloud, you can benefit from the cryptographic capabilities of HPCS for both your new and existing workloads. With the introduction of Enterprise PKCS#11 over gRPC, you have access to a full range of cryptographic operations, such as signing, signature validation, message authentication codes, random number generation. 

The unique concept of the IBM Cloud Hyper Protect Crypto Services puts the Hardware Security Module (HSM) in the center of your single-tenant cryptographic infrastructure. It is possible for you to access Key Management and HSM-based cryptographic functions through a single service instance with a unified user interface. Built as a cloud-native service, Hyper Protect Crypto Services becomes your prime choice for reliable and scalable cryptographic operations. 

What’s new

Private service endpoint available

You can now connect to Hyper Protect Crypto Services over the IBM Cloud private network by targeting a private endpoint for the service. The private endpoint is currently only available for the key management service.

To get started, enable virtual routing and forwarding (VRF) and service endpoints for your infrastructure account. For more information, see “Using private endpoints.”

EP11 cryptographic operations over gRPC

The managed cloud Hardware Security Module (HSM) supports Enterprise Public-Key Cryptography Standards (PKCS) #11, so your applications can integrate cryptographic operations like digital signing and validation via Enterprise PKCS#11 (EP11) API. The EP11 library provides an interface very similar to the industry-standard PKCS #11 API.

Hyper Protect Crypto Services provides a set of Enterprise PKCS #11 (EP11) APIs over gRPC calls (also referred to as GREP11), with which all the Crypto functions are executed in HSM on cloud. GREP11 is designed to be a stateless interface for cloud programs. 

For more information on the GREP11 API, see “EP11 introduction” and “GREP11 API reference.”

New regions available: Sydney and Frankfurt

You can now create Hyper Protect Crypto Services resources in the Sydney and Frankfurt regions. For more information, see “Regions and locations.”

IBM Cloud service integration

Hyper Protect Crypto Services can now be integrated with a broader range of IBM Cloud services, such as IBM VSI Block Storage and KMIP for VMware. For more information, see “Integrating services.”

A step-by-step tutorial is also available on how to integrate Hyper Protect Crypto Services with KMIP for VMware in IBM Developer. See the accompanying demo video: “Hyper Protect Crypto Services and IBM Cloud for VMware Solutions“

More video resources about Hyper Protect Crypto Services are available at IBM demo.

Free trial period available

Order the Hyper Protect Crypto Services now, and you can benefit from two free-of-charge service instances for the first 45 days.

Learn more about IBM Cloud Hyper Protect Crypto Services.