November 30, 2020 By Sowmya Nataraj
Christopher Smith
4 min read

When it comes to securing sensitive data in the cloud, customers want to ensure data is protected from both internal and external threats.

This requires that data is encrypted and that data encryption keys are protected by hardware-based security.

IBM Cloud Hyper Protect Crypto Services offers the industry’s highest level of encryption key protection by providing customers with the “Keep Your Own Key” (KYOK) capability.

What is IBM Cloud Hyper Protect Crypto Services?

IBM Cloud Hyper Protect Crypto Services is a single-tenant Key Management Service and a Cloud Hardware Security Module (HSM) service. Key vaulting is provided by dedicated, customer-controlled cloud HSMs that are built on FIPS 140-2 Level 4-certified hardware — the highest level of security offered by any cloud provider in the industry. KYOK is designed to allow customers to have exclusive key control, where only customers have access to encryption keys. Other privileged users, such as IBM Cloud administrators, have no access to the keys.

It is a managed cloud HSM service where you initialize your service instance via a Key Ceremony, using either Cloud Command Line Interface (CLI) or smartcards. IBM provisions, monitors, and manages HA and backup for the HSMs, while you retain control of the HSMs. The master key is not backed up.

What is new?

We are now announcing support for the stateful version of PKCS #11. You can now use Hyper Protect Crypto Services as Cloud Hardware Security Module (HSM) for the following use cases: TLS/SSL offloading, database encryption via PKCS#11 support, and application-level encryption.

TLS/SSL offloading

Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are cryptographic protocols designed to provide communication security over a computer network. In the context of web servers, the TLS/SSL protocol allows a website to establish the identity so that users of the website can be sure that no one else is masquerading as the website. This is done through a public-private key pair.

Hyper Protect Crypto Services provides a way to offload the cryptographic operations that are done during the TLS handshake to establish a secure connection to the web server, while keeping the TLS/SSL private key securely stored in the dedicated HSM. Please see the tutorial on how to use the service to offload TLS from a Nginx proxy.

Database encryption via PKCS #11 support

Hyper Protect Crypto Services enables you to encrypt Oracle® Database using Transparent Data Encryption (TDE) and encrypt IBM Db2® Database using Db2 default encryption. The Hyper Protect Crypto Services PKCS #11 library connects your database to Hyper Protect Crypto Services to perform cryptographic operations. For examples on how to do this, please see the Oracle Transparent Data Encryption (TDE) Tutorial and the Db2 Tutorial.

Application-level encryption

Application programmers can design and develop applications with a standard PKCS #11 API to request encryption or to sign the application data. You have access to a full range of advanced cryptographic operations, such as signing, signature validation, message authentication codes, and more advanced encryption schemes:

We have code samples for using GREP 11 with Golang and JavaScript that you can try out.

Hyper Protect Crypto Services already supported cryptographic operations through Enterprise PKCS #11 over gRPC (GREP11), which is IBM’s stateless implementation of the Public Key Cryptography Standards.

  • PKCS #11, the stateful implementation, is the correct fit for application transactions and where there is need for more advanced cryptography, like encryption schemes in databases, field encryption, and digital signatures.
  • The stateless implementation (EP11) works well for applications where customers are looking to process complex transactions without the need to complete them where they started and also support virtually unlimited number of keys and ongoing transactions. Also, it allows for uses cases in the digital asset custody space where managing key stores and key store types is desired.

Understanding how the GREP11 API and PKCS #11 API compare will be helpful in making the right choices for your application.

Use the promo code HPCRYPTO30 to try the service free

We are offering new clients a $3,120 USD credit to be applied toward IBM Cloud Hyper Protect Crypto Services. When you create an instance of Hyper Protect Crypto Services, you specify number of crypto units to provision. The default option is two crypto units for high availability and monthly pricing is per crypto unit.

Use the promo code HPCRYPTO30 when you provision the service to get the first 30 days free for two crypto units. See this guide on how to apply promocodes to your IBM account. The offer can be redeemed in a few simple steps:

This offer is subject to availability, each promo code can be used once per customer, and cannot be combined with other offers.

For more information on this announcement, see the full press release.

More from Announcements

Install a fully custom workload on IBM Cloud VPC Servers: Try the Beta version for Generic OS for free

3 min read - Operating systems and images don’t last forever. End-of-life support is an inevitable experience we all face from time to time across our on-premises and cloud server deployments. At IBM Cloud®, we understand that not all clients are able to quickly adapt to the latest versions as fast as they’d like due to several reasons—be it resource limitations in staff, skills, time or budget.   Generic OS on IBM Cloud Bare Metal and Virtual Servers for VPC offers a new path for…

IBM’s immersive incident response training expands with new DC Cyber Range

3 min read - It’s been said before: cyberattacks are not a matter of if but when. While it’s difficult for organizations to predict exactly when an attack might hit, they can prepare for one to help strengthen their cyber readiness and mitigate devastating impacts. The global average cost of a data breach reached USD 4.45 million, with the U.S. facing the highest breach costs across all regions. For public organizations, the cost of a cyber crisis transcends monetary costs. Threat actors can disrupt…

IBM offerings close 2023 strong in G2 Winter Reports

2 min read - IBM offerings were featured in more than 1,400 unique G2 reports, earning over 300 leader badges across various categories. G2 was visited 90 million times in 2023 and hosts over one million user reviews, solidifying the crucial role peer reviews play in the software buying process. IBM is thankful to its clients for the continued trust, feedback and partnership. All of which help IBM to enable global enterprises with innovative, intelligent, and effective business solutions. Highlights of IBM’s leadership: Ranked #1 in 152…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters