Keep Your Own Key for SSL Offloading, Database Encryption, and Application Encryption

4 min read

When it comes to securing sensitive data in the cloud, customers want to ensure data is protected from both internal and external threats.

This requires that data is encrypted and that data encryption keys are protected by hardware-based security.

IBM Cloud Hyper Protect Crypto Services offers the industry’s highest level of encryption key protection by providing customers with the “Keep Your Own Key” (KYOK) capability.

What is IBM Cloud Hyper Protect Crypto Services?

IBM Cloud Hyper Protect Crypto Services is a single-tenant Key Management Service and a Cloud Hardware Security Module (HSM) service. Key vaulting is provided by dedicated, customer-controlled cloud HSMs that are built on FIPS 140-2 Level 4-certified hardware — the highest level of security offered by any cloud provider in the industry. KYOK is designed to allow customers to have exclusive key control, where only customers have access to encryption keys. Other privileged users, such as IBM Cloud administrators, have no access to the keys.

It is a managed cloud HSM service where you initialize your service instance via a Key Ceremony, using either Cloud Command Line Interface (CLI) or smartcards. IBM provisions, monitors, and manages HA and backup for the HSMs, while you retain control of the HSMs. The master key is not backed up.

What is new?

We are now announcing support for the stateful version of PKCS #11. You can now use Hyper Protect Crypto Services as Cloud Hardware Security Module (HSM) for the following use cases: TLS/SSL offloading, database encryption via PKCS#11 support, and application-level encryption.

TLS/SSL offloading

Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are cryptographic protocols designed to provide communication security over a computer network. In the context of web servers, the TLS/SSL protocol allows a website to establish the identity so that users of the website can be sure that no one else is masquerading as the website. This is done through a public-private key pair.

Hyper Protect Crypto Services provides a way to offload the cryptographic operations that are done during the TLS handshake to establish a secure connection to the web server, while keeping the TLS/SSL private key securely stored in the dedicated HSM. Please see the tutorial on how to use the service to offload TLS from a Nginx proxy.

Please see the tutorial on how to use the service to offload TLS from a Nginx proxy.

Database encryption via PKCS #11 support


Hyper Protect Crypto Services enables you to encrypt Oracle® Database using Transparent Data Encryption (TDE) and encrypt IBM Db2® Database using Db2 default encryption. The Hyper Protect Crypto Services PKCS #11 library connects your database to Hyper Protect Crypto Services to perform cryptographic operations. For examples on how to do this, please see the Oracle Transparent Data Encryption (TDE) Tutorial and the Db2 Tutorial.

Application-level encryption

Application programmers can design and develop applications with a standard PKCS #11 API to request encryption or to sign the application data. You have access to a full range of advanced cryptographic operations, such as signing, signature validation, message authentication codes, and more advanced encryption schemes:


We have code samples for using GREP 11 with Golang and JavaScript that you can try out.

Hyper Protect Crypto Services already supported cryptographic operations through Enterprise PKCS #11 over gRPC (GREP11), which is IBM’s stateless implementation of the Public Key Cryptography Standards.

  • PKCS #11, the stateful implementation, is the correct fit for application transactions and where there is need for more advanced cryptography, like encryption schemes in databases, field encryption, and digital signatures.
  • The stateless implementation (EP11) works well for applications where customers are looking to process complex transactions without the need to complete them where they started and also support virtually unlimited number of keys and ongoing transactions. Also, it allows for uses cases in the digital asset custody space where managing key stores and key store types is desired.

Understanding how the GREP11 API and PKCS #11 API compare will be helpful in making the right choices for your application.

Use the promo code HPCRYPTO30 to try the service free

We are offering new clients a $3,120 USD credit to be applied toward IBM Cloud Hyper Protect Crypto Services. When you create an instance of Hyper Protect Crypto Services, you specify number of crypto units to provision. The default option is two crypto units for high availability and monthly pricing is per crypto unit.

Use the promo code HPCRYPTO30 when you provision the service to get the first 30 days free for two crypto units. See this guide on how to apply promocodes to your IBM account. The offer can be redeemed in a few simple steps:

This offer is subject to availability, each promo code can be used once per customer, and cannot be combined with other offers.

For more information on this announcement, see the full press release.

Be the first to hear about news, product updates, and innovation from IBM Cloud