Introducing IBM Cloud Key Protect KMS with BYOHSM Support for IBM Cloud Satellite Deployments

7 min read

Bringing data protection to where it is needed.

As protecting data everywhere becomes increasingly critical for organizations transforming into hybrid cloud IT, IBM Cloud is introducing the ability for IBM Key Protect for IBM Cloud to support data encryption on the new IBM Cloud Satellite environments. Now you have the flexibility to use Key Protect anywhere — either on the IBM Cloud, other cloud infrastructure providers or on-premises. IBM Key Protect on IBM Cloud Satellite enables secure data services closer to where they are needed, with the additional security benefit of allowing you to have separate and direct control of your "root of trust" with Bring Your Own Hardware Security Module (BYOHSM) capability.

What is Bring Your Own Hardware Security Module (BYOHSM)?

Encryption is a building block for any secure IT deployment. When protecting data at rest, organizations leverage symmetric encryption algorithms that rely on a key to encrypt and decrypt the information for the owner or holders of that key. In large organizations with multiple data storage devices or repositories, handling the lifecycle of the myriad keys for each device can become an administrative nightmare and a security risk, especially if part of the infrastructure is exposed to personnel that is not authorized to access the data (like in a cloud deployment).

To alleviate these issues, IBM provides Key Management Services (KMS) like IBM Key Protect for IBM Cloud or IBM Cloud Hyper Protect Crypto Services that manage the lifecycle of the data encryption keys and protect and isolate them for the individual user by additionally encrypting the data encryption keys with a user-owned root key (envelop encryption).

The KMS also handles the lifecycle of the user’s root keys and ensures these are only accessible to their rightful owner. To keep these root keys secured and isolated, the KMS systems rely on the highest level of encryption and secure storage provided by Hardware Security Modules (HSM). HSM are the most secure option for protecting encryption keys and secrets, but they are expensive and require a high level of skill to configure and operate. Therefore, the IBM Cloud has removed that burden from end-consumers and we include the management of the HSM as part of the KMS service.

There are two options to handle your root keys in the managed KMS-HSM solution:

  1. Bring Your Own Key (BYOK): Users can import their root keys securely in the cloud managed KMS-HSM, and they are kept operationally separated in a shared HSM.
  2. Keep Your Own Key (KYOK): A special BYOK process where the root key is entered and controlled by the user (in a master key ceremony process) into a dedicated and technically isolated KMS-HSM module (in an enclave) that only the user can access.

Both models manage the full operations for the KMS-HSM service, where option 1 is multitenant (Key Protect) and option 2 is single tenant (Hyper Protect Crypto Services).

IBM wants to help these organizations have more flexibility in security configurations and allow for the division of responsibilities for where the root key is stored and where it is used. To this effect, we are introducing the concept of Bring Your Own HSM (BYOHSM), which reflects the separation of the KMS from the HSM, where the KMS continues as a managed service on the IBM Cloud Satellite location, but the HSM is wholly owned and managed by the user (typically on-premises). Essentially, this provides a third KMS configuration option where the user keeps their keys in their HSM control, yet the administration and handling of key lifecycle is off-loaded to a service. This provides stricter controls option over secret data or separation of vendors.

IBM Key Protect for IBM Cloud is the multitenant IBM Cloud KMS to securely serve and manage the lifecycle of symmetric keys for a wide set of backend cloud services and user applications. Key Protect uses the BYOK method of handling root keys and stores them in managed cloud HSM.

With the expansion of the Satellite locations for the IBM Cloud, there is a need to provide KMS services to customer workloads and for many of the IBM Cloud services handling data on the organization’s Satellite locations. IBM Cloud Satellite extends IBM Cloud services and software to the client’s choice of infrastructure. A type of hardware that can be owned and managed by the user is the HSM. Effectively, this sets up the configuration for Key Protect on Satellite to provide a BYOHSM configuration.

Why a KMS with BYOHSM for IBM Cloud Satellite?

IBM Cloud Satellite offers users the ability to leverage their investment in existing infrastructure while benefiting from the flexibility and agility of cloud, consistently and securely. One of those benefits is the ability to deploy their data workloads and applications in a managed environment.

Encryption ensures that the sensitive data on those workloads is secure. A KMS systems is necessary to manage all the root keys needed to efficiently and securely encrypt/decrypt the sensitive data sitting on the Satellite data repositories. Given that organizations use the infrastructure of their choice for their Satellite locations, they retain ownership and responsibility for the HSMs.

This configuration introduces an additional level of security where the root keys are initiated and hosted in this fully user owned HSM device (BYOHSM). All the crypto operations are done within the HSM and the keys never leave the FIPS boundary (HSM) in clear. Therefore, users have full control of the keys and operations. There is no handling of the crypto operations within the managed KMS service. Organizations get the benefits of running a single-tenant KMS service in a location of their choice, with the root keys under the control of their own HSM infrastructure.

What is IBM releasing to introduce encryption on IBM Cloud Satellite?

IBM Cloud Satellite offers leading edge capabilities for co-locating the benefits of the IBM Cloud services. Many of these concepts and architecture are new to users, and IBM Cloud key services are just starting to support this deployment model. However, Satellite offers great flexibility and operational advantages.

Given that encryption (and a KMS) is critical for protecting data in the cloud, IBM is introducing support for the Key Protect service on Satellite to enable users to protect their data in their desired Satellite location. The introductory offering gives users an opportunity to get familiar with the operations and advantages of having a KMS with BYOHSM on your Satellite location. You operate and manage the HSM while IBM operates and manages the Key Protect KMS service on your infrastructure. This introduction will be phased to speed up the availability of the technology. The initial scope for the Key Protect on IBM Cloud Satellite will cover the following characteristics:

  • A single tenant IBM Cloud managed KMS SaaS service deployed on Satellite user-owned infrastructure. Only on-prem infrastructure supported with specific pre-requisite configuration, including the HSM.
    • All Key Protect KMS key handling operations supported.
    • All key management operations available via API. UI controls for the provisioning of the Key Protect service in Satellite location.
  • Only Satellite locations deployed from the US-East MZR host region.
  • High Availability (HA) with three zones for the KMS included in the SaaS service. HA for the HSM is a prerequisite and owned by the user.
  • Only HSM support for Thales A7xx models.
  • Automatic provisioning of Key Protect for Satellite from the IBM Cloud MZR host Key Protect console.
    • Pre-req for Satellite, infrastructure, HSM and IBM Cloud Databases environment are available on Satellite before deployment.
  • Supported encryption enabled services: Red Hat OpenShift on Satellite (other data services like Cloud Object Store are planned in the roadmap)
  • There is an introductory free trial package limited to one instance of Key Protect on Satellite, per account. Migration to a paid plan is expected after the introductory timeframe ends. There are additional costs associated with the IBM Cloud Satellite infrastructure and location itself.

How is IBM Cloud Key Protect deployed on IBM Cloud Satellite?

The following architectural diagram shows the relationship between the different components of Key Protect and how they support the Satellite deployment and the encryption of the first services:

The following architectural diagram shows the relationship between the different components of Key Protect and how they support the Satellite deployment and the encryption of the first services:

Each Satellite location is connected to an IBM Cloud Multi-Zone Region (MZR) as a host, from where the Satellite environment is provisioned once the required organization infrastructure is available. To deploy Key Protect to a Satellite location, additional infrastructure (including the HSM HA deployment/setup) and an IBM Cloud Databases (ICD) environment would have to be available. At that moment, you will be ready to deploy a Key Protect for Satellite instance from the Key Protect console.

The provisioning will lay down the Key Protect clusters and connect to the available HSMs with the information provided. Once Key Protect is provisioned and operational, your applications can start using Key Protect through its APIs interface. The endpoint to Key Protect service can be obtained from IBM Cloud GhoST.

As more IBM Cloud Services are deployed in your Satellite location, you can enable these services to use your keys (root of trust) from Key Protect. As services (like Red Hat OpenShift on IBM Cloud) or applications are configured, you would use the IAM controls to grant access to appropriate users to handle the user root keys for each service and your application. The user root keys to be used are generated and stored in the organization owned and controlled on-prem HSM.

Key Protect will coordinate the handling of the data encryptions keys (DEK) for the services using the root keys in the HSM. All Key Protect KMS activity is audited, cached and sent to Activity Tracker on the IBM Cloud MZR host region for compliance reporting. The Key Protect KMS is provided as a service managed by IBM Cloud. As such, it provides the same SLA and assurances as other services, including the high availability management and operational compliance. The only exception is for processes and configuration of the infrastructure, where responsibility lays with the user. For example, the disaster recovery process is not covered in this SLA as user must provide additional infrastructure and setup for disaster recovery preparation themselves. For more information, please see the Key Protect documentation.

What are the main benefits of using Key Protect on IBM Cloud Satellite?

Protect your critical data closer to your IT control by using the strongest, most flexible KMS with BYOHSM support. Localizing Key Protect provides IBM Cloud users with the following benefits:

  • Enables protection of critical data used by services and applications in a co-located Satellite deployment.
  • Gives users additional control over where their master user root keys are stored and even which vendor HSM they use (BYOHSM).
  • Provides automated and secure management of the KMS environment, in line with the same user experience in the IBM Cloud.

How can I get started?

We wanted to make Key Protect on Satellite code available ASAP, and you can read about it in our documentation.

Visit our catalog entry to try it out. Start protecting your sensitive data in your co-located IBM Cloud Satellite. You can leverage your existing HSM to ensure your keys never leave your control.

Be the first to hear about news, product updates, and innovation from IBM Cloud