November 30, 2020 By Sowmya Nataraj
Christopher Smith
4 min read

When it comes to securing sensitive data in the cloud, customers want to ensure data is protected from both internal and external threats.

This requires that data is encrypted and that data encryption keys are protected by hardware-based security.

IBM Cloud Hyper Protect Crypto Services offers the industry’s highest level of encryption key protection by providing customers with the “Keep Your Own Key” (KYOK) capability.

What is IBM Cloud Hyper Protect Crypto Services?

IBM Cloud Hyper Protect Crypto Services is a single-tenant Key Management Service and a Cloud Hardware Security Module (HSM) service. Key vaulting is provided by dedicated, customer-controlled cloud HSMs that are built on FIPS 140-2 Level 4-certified hardware — the highest level of security offered by any cloud provider in the industry. KYOK is designed to allow customers to have exclusive key control, where only customers have access to encryption keys. Other privileged users, such as IBM Cloud administrators, have no access to the keys.

It is a managed cloud HSM service where you initialize your service instance via a Key Ceremony, using either Cloud Command Line Interface (CLI) or smartcards. IBM provisions, monitors, and manages HA and backup for the HSMs, while you retain control of the HSMs. The master key is not backed up.

What is new?

We are now announcing support for the stateful version of PKCS #11. You can now use Hyper Protect Crypto Services as Cloud Hardware Security Module (HSM) for the following use cases: TLS/SSL offloading, database encryption via PKCS#11 support, and application-level encryption.

TLS/SSL offloading

Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are cryptographic protocols designed to provide communication security over a computer network. In the context of web servers, the TLS/SSL protocol allows a website to establish the identity so that users of the website can be sure that no one else is masquerading as the website. This is done through a public-private key pair.

Hyper Protect Crypto Services provides a way to offload the cryptographic operations that are done during the TLS handshake to establish a secure connection to the web server, while keeping the TLS/SSL private key securely stored in the dedicated HSM. Please see the tutorial on how to use the service to offload TLS from a Nginx proxy.

Database encryption via PKCS #11 support

Hyper Protect Crypto Services enables you to encrypt Oracle® Database using Transparent Data Encryption (TDE) and encrypt IBM Db2® Database using Db2 default encryption. The Hyper Protect Crypto Services PKCS #11 library connects your database to Hyper Protect Crypto Services to perform cryptographic operations. For examples on how to do this, please see the Oracle Transparent Data Encryption (TDE) Tutorial and the Db2 Tutorial.

Application-level encryption

Application programmers can design and develop applications with a standard PKCS #11 API to request encryption or to sign the application data. You have access to a full range of advanced cryptographic operations, such as signing, signature validation, message authentication codes, and more advanced encryption schemes:

We have code samples for using GREP 11 with Golang and JavaScript that you can try out.

Hyper Protect Crypto Services already supported cryptographic operations through Enterprise PKCS #11 over gRPC (GREP11), which is IBM’s stateless implementation of the Public Key Cryptography Standards.

  • PKCS #11, the stateful implementation, is the correct fit for application transactions and where there is need for more advanced cryptography, like encryption schemes in databases, field encryption, and digital signatures.
  • The stateless implementation (EP11) works well for applications where customers are looking to process complex transactions without the need to complete them where they started and also support virtually unlimited number of keys and ongoing transactions. Also, it allows for uses cases in the digital asset custody space where managing key stores and key store types is desired.

Understanding how the GREP11 API and PKCS #11 API compare will be helpful in making the right choices for your application.

Use the promo code HPCRYPTO30 to try the service free

We are offering new clients a $3,120 USD credit to be applied toward IBM Cloud Hyper Protect Crypto Services. When you create an instance of Hyper Protect Crypto Services, you specify number of crypto units to provision. The default option is two crypto units for high availability and monthly pricing is per crypto unit.

Use the promo code HPCRYPTO30 when you provision the service to get the first 30 days free for two crypto units. See this guide on how to apply promocodes to your IBM account. The offer can be redeemed in a few simple steps:

This offer is subject to availability, each promo code can be used once per customer, and cannot be combined with other offers.

For more information on this announcement, see the full press release.

More from Announcements

Success and recognition of IBM offerings in G2 Summer Reports  

2 min read - IBM offerings were featured in over 1,365 unique G2 reports, earning over 230 Leader badges across various categories.   This recognition is important to showcase our leading products and also to provide the unbiased validation our buyers seek. According to the 2024 G2 Software Buyer Behavior Report, “When researching software, buyers are most likely to trust information from people with similar roles and challenges, and they value transparency above other factors.”  With over 90 million visitors each year and hosting more than 2.6…

Manage the routing of your observability log and event data 

4 min read - Comprehensive environments include many sources of observable data to be aggregated and then analyzed for infrastructure and app performance management. Connecting and aggregating the data sources to observability tools need to be flexible. Some use cases might require all data to be aggregated into one common location while others have narrowed scope. Optimizing where observability data is processed enables businesses to maximize insights while managing to cost, compliance and data residency objectives.  As announced on 29 March 2024, IBM Cloud® released its next-gen observability…

Unify and share data across Netezza and for new generative AI applications

3 min read - In today's data and AI-driven world, organizations are generating vast amounts of data from various sources. The ability to extract value from AI initiatives relies heavily on the availability and quality of an enterprise's underlying data. In order to unlock the full potential of data for AI, organizations must be able to effectively navigate their complex IT landscapes across the hybrid cloud.   At this year’s IBM Think conference in Boston, we announced the new capabilities of IBM, an open…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters