When it comes to securing sensitive data in the cloud, customers want to ensure data is protected from both internal and external threats.

This requires that data is encrypted and that data encryption keys are protected by hardware-based security.

IBM Cloud Hyper Protect Crypto Services offers the industry’s highest level of encryption key protection by providing customers with the “Keep Your Own Key” (KYOK) capability.

What is IBM Cloud Hyper Protect Crypto Services?

IBM Cloud Hyper Protect Crypto Services is a single-tenant Key Management Service and a Cloud Hardware Security Module (HSM) service. Key vaulting is provided by dedicated, customer-controlled cloud HSMs that are built on FIPS 140-2 Level 4-certified hardware — the highest level of security offered by any cloud provider in the industry. KYOK is designed to allow customers to have exclusive key control, where only customers have access to encryption keys. Other privileged users, such as IBM Cloud administrators, have no access to the keys.

It is a managed cloud HSM service where you initialize your service instance via a Key Ceremony, using either Cloud Command Line Interface (CLI) or smartcards. IBM provisions, monitors, and manages HA and backup for the HSMs, while you retain control of the HSMs. The master key is not backed up.

What is new?

We are now announcing support for the stateful version of PKCS #11. You can now use Hyper Protect Crypto Services as Cloud Hardware Security Module (HSM) for the following use cases: TLS/SSL offloading, database encryption via PKCS#11 support, and application-level encryption.

TLS/SSL offloading

Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are cryptographic protocols designed to provide communication security over a computer network. In the context of web servers, the TLS/SSL protocol allows a website to establish the identity so that users of the website can be sure that no one else is masquerading as the website. This is done through a public-private key pair.

Hyper Protect Crypto Services provides a way to offload the cryptographic operations that are done during the TLS handshake to establish a secure connection to the web server, while keeping the TLS/SSL private key securely stored in the dedicated HSM. Please see the tutorial on how to use the service to offload TLS from a Nginx proxy.

Database encryption via PKCS #11 support

Hyper Protect Crypto Services enables you to encrypt Oracle® Database using Transparent Data Encryption (TDE) and encrypt IBM Db2® Database using Db2 default encryption. The Hyper Protect Crypto Services PKCS #11 library connects your database to Hyper Protect Crypto Services to perform cryptographic operations. For examples on how to do this, please see the Oracle Transparent Data Encryption (TDE) Tutorial and the Db2 Tutorial.

Application-level encryption

Application programmers can design and develop applications with a standard PKCS #11 API to request encryption or to sign the application data. You have access to a full range of advanced cryptographic operations, such as signing, signature validation, message authentication codes, and more advanced encryption schemes:

We have code samples for using GREP 11 with Golang and JavaScript that you can try out.

Hyper Protect Crypto Services already supported cryptographic operations through Enterprise PKCS #11 over gRPC (GREP11), which is IBM’s stateless implementation of the Public Key Cryptography Standards.

  • PKCS #11, the stateful implementation, is the correct fit for application transactions and where there is need for more advanced cryptography, like encryption schemes in databases, field encryption, and digital signatures.
  • The stateless implementation (EP11) works well for applications where customers are looking to process complex transactions without the need to complete them where they started and also support virtually unlimited number of keys and ongoing transactions. Also, it allows for uses cases in the digital asset custody space where managing key stores and key store types is desired.

Understanding how the GREP11 API and PKCS #11 API compare will be helpful in making the right choices for your application.

Use the promo code HPCRYPTO30 to try the service free

We are offering new clients a $3,120 USD credit to be applied toward IBM Cloud Hyper Protect Crypto Services. When you create an instance of Hyper Protect Crypto Services, you specify number of crypto units to provision. The default option is two crypto units for high availability and monthly pricing is per crypto unit.

Use the promo code HPCRYPTO30 when you provision the service to get the first 30 days free for two crypto units. See this guide on how to apply promocodes to your IBM account. The offer can be redeemed in a few simple steps:

This offer is subject to availability, each promo code can be used once per customer, and cannot be combined with other offers.

For more information on this announcement, see the full press release.


More from Announcements

IBM TechXchange underscores the importance of AI skilling and partner innovation

3 min read - Generative AI and large language models are poised to impact how we all access and use information. But as organizations race to adopt these new technologies for business, it requires a global ecosystem of partners with industry expertise to identify the right enterprise use-cases for AI and the technical skills to implement the technology. During TechXchange, IBM's premier technical learning event in Las Vegas last week, IBM Partner Plus members including our Strategic Partners, resellers, software vendors, distributors and service…

Introducing Inspiring Voices, a podcast exploring the impactful journeys of great leaders

< 1 min read - Learning about other people's careers, life challenges, and successes is a true source of inspiration that can impact our own ambitions as well as life and business choices in great ways. Brought to you by the Executive Search and Integration team at IBM, the Inspiring Voices podcast will showcase great leaders, taking you inside their personal stories about life, career choices and how to make an impact. In this first episode, host David Jones, Executive Search Lead at IBM, brings…

IBM watsonx Assistant and NICE CXone combine capabilities for a new chapter in CCaaS

5 min read - In an age of instant everything, ensuring a positive customer experience has become a top priority for enterprises. When one third of customers (32%) say they will walk away from a brand they love after just one bad experience (source: PWC), organizations are now applying massive investments to this experience, particularly with their live agents and contact centers.  For many enterprises, that investment includes modernizing their call centers by moving to cloud-based Contact Center as a Service (CCaaS) platforms. CCaaS solutions…

See what’s new in SingleStoreDB with IBM 8.0

3 min read - Despite decades of progress in database systems, builders have compromised on at least one of the following: speed, reliability, or ease. They have two options: one, they could get a document database that is fast and easy, but can’t be relied on for mission-critical transactional applications. Or two, they could rely on a cloud data warehouse that is easy to set up, but only allows lagging analytics. Even then, each solution lacks something, forcing builders to deploy other databases for…