Encryption is a building block for any secure IT deployment. When protecting data at rest, organizations leverage symmetric encryption algorithms that rely on a key to encrypt and decrypt the information for the owner or holders of that key. In large organizations with multiple data storage devices or repositories, handling the lifecycle of the myriad keys for each device can become an administrative nightmare and a security risk, especially if part of the infrastructure is exposed to personnel that is not authorized to access the data (like in a cloud deployment).

To alleviate these issues, IBM provides Key Management Services (KMS) like IBM Key Protect for IBM Cloud or IBM Cloud Hyper Protect Crypto Services that manage the lifecycle of the data encryption keys and protect and isolate them for the individual user by additionally encrypting the data encryption keys with a user-owned root key (envelop encryption).

The KMS also handles the lifecycle of the user’s root keys and ensures these are only accessible to their rightful owner. To keep these root keys secured and isolated, the KMS systems rely on the highest level of encryption and secure storage provided by Hardware Security Modules (HSM). HSM are the most secure option for protecting encryption keys and secrets, but they are expensive and require a high level of skill to configure and operate. Therefore, the IBM Cloud has removed that burden from end-consumers and we include the management of the HSM as part of the KMS service.

There are two options to handle your root keys in the managed KMS-HSM solution:

Bring Your Own Key (BYOK): Users can import their root keys securely in the cloud managed KMS-HSM, and they are kept operationally separated in a shared HSM. Keep Your Own Key (KYOK): A special BYOK process where the root key is entered and controlled by the user (in a master key ceremony process) into a dedicated and technically isolated KMS-HSM module (in an enclave) that only the user can access.

Both models manage the full operations for the KMS-HSM service, where option 1 is multitenant (Key Protect) and option 2 is single tenant (Hyper Protect Crypto Services).

IBM wants to help these organizations have more flexibility in security configurations and allow for the division of responsibilities for where the root key is stored and where it is used. To this effect, we are introducing the concept of Bring Your Own HSM (BYOHSM), which reflects the separation of the KMS from the HSM, where the KMS continues as a managed service on the IBM Cloud Satellite location, but the HSM is wholly owned and managed by the user (typically on-premises). Essentially, this provides a third KMS configuration option where the user keeps their keys in their HSM control, yet the administration and handling of key lifecycle is off-loaded to a service. This provides stricter controls option over secret data or separation of vendors.

IBM Key Protect for IBM Cloud is the multitenant IBM Cloud KMS to securely serve and manage the lifecycle of symmetric keys for a wide set of backend cloud services and user applications. Key Protect uses the BYOK method of handling root keys and stores them in managed cloud HSM.

With the expansion of the Satellite locations for the IBM Cloud, there is a need to provide KMS services to customer workloads and for many of the IBM Cloud services handling data on the organization’s Satellite locations. IBM Cloud Satellite extends IBM Cloud services and software to the client’s choice of infrastructure. A type of hardware that can be owned and managed by the user is the HSM. Effectively, this sets up the configuration for Key Protect on Satellite to provide a BYOHSM configuration.