Secure and simple multi cloud key management
See product pricing
Hybrid UI style illustration

IBM Cloud Hyper Protect Crypto Services is an as-a-service (aaS) key management and encryption solution, which gives you full control over your encryption keys for data protection.

The integrated Unified Key Orchestrator acts as a secure key repository for distributing and orchestrating keys across multiple clouds, enabling quick recovery from key loss or disasters. With Hyper Protect Crypto Services, you can: 

  • Build on the highest level of security with FIPS 140-2 level 4 certified hardware.
  • Experience a worry-free approach to multi cloud key management through the all-in-one as-a-service solution. Benefit from automatic key backups built-in high availability secure business continuity and disaster recovery.
  • Manage your keys seamlessly across multiple cloud environments. Create keys securely and bring your own key seamlessly to hyperscalers such as Microsoft Azure AWS and Google Cloud Platform to enhance the data security posture and gain key control.
  • Protect data by pervasively encrypting data at rest and in transit with Keep Your Own Key (KYOK). You have full control and authority over encryption keys and no one except you has access to your master key.
Unified Key Orchestrator got awarded the Red Dot Award: Brands & Communication Design 2023.

Get two production grade crypto units at no charge for 30 days with code HPCRYPTO30

Enhance your data security posture and handle keys with ease Control keys exclusively with technical assurance

Encrypt integrated IBM Cloud Services and applications with Keep Your Own Key (KYOK). Retain complete control of your data encryption keys with technical assurance and provide runtime isolation with confidential computing.

Manage keys effortlessly across clouds

Enhance your security posture and manage keys with Unified Key Orchestrator in a multicloud environment that includes IBM Cloud, Microsoft Azure, AWS, and Google Cloud Platform.Minimize errors and maximize operational efficiency for your key management procedures by leveraging a design-award-winning user experience        ( link resides outside ibm.com).

Support quantum-safe cryptography

Protect your sensitive data quantum-safe and stay crypto agile. Currently, Hyper Protect Crypto Services provides quantum safe signing with Dillithium. Using a key management system is essential to ensure crypto agility and future-proof your security against potential quantum threats.

Encrypt data and secure digital asset with the highest level of security

Use the FIPS 140-2 Level 4 hardware security module to leverage the highest security level in the industry to store and transfer high-value digital assets in highly secure wallets reliable at scale.

Meet compliance requirements

Using keys under your unique control can help you achieve total data privacy and data sovereignty through enhanced data protection and control. Follow several guidances and regulations around the world, such as from NIST, GDPR, C5, ACSC/ASC, ECUC, ENISA, DPDPA, DORA, and more.

What Hyper Protect Crypto Services offers
Worry-free multicloud key management Unified Key Orchestrator

Create keys securely and seamlessly in a multicloud environment including Microsoft Azure, AWS, and Google Cloud Platform. Manage your keys under your exclusive control with a generic key lifecycle model based on NIST recommendations.


HSM APIs and Adapters Use the API to interact with the key management service (KMS) to manage root keys and standard keys. The service is built on FIPS 140-2 Level 4 certified hardware and PKCS #11 is supported. Single-tenant dedicated HSM domains are fully controlled by you. IBM Cloud administrators have no access. The highest security offered by any cloud provider in the industry.

Additional features IBM Cloud service encryption and key lifecycle management

Encrypt IBM Cloud services with keys under your control through KYOK integration for consistent adoption. Utilize a user-friendly GUI and Cloud APIs to track key lifecycles, ensuring unrecoverable deletion of data regardless of the source application.

Learn more
Service initialization through key ceremony

Take ownership of HSM. IBM is the first to provide cloud command-line interface (smart cards) for the HSM key ceremony to operate your HSM fully remotely. Key ceremony and smart cards management software is completely made available in the offering (with no extra charge).

Learn more
Built-in high availability and disaster recovery

Utilize a built-in central backup to redistribute and rotate keys to quickly recover from loss and minimize security threats. High Availability and Disaster Recovery are available in the offering.                                              

Learn more

Business scenarios of Hyper Protect Crypto Services

Encrypt storage devices with KYOK The data in IBM Cloud services is encrypted with randomly generated keys. To enhance protection, you can control the encryption keys and use your own keys to encrypt your data. Additionally, you can use root keys in Hyper Protect Crypto Services to your cloud service of choice and leverage envelope encryption to add another layer of protection - keep your own key (KYOK) - to your data, no one else including IBM Cloud administrators can access your data. Start to encrypt Integrated IBM Cloud Services with KYOK

Enhance data security and reduce operational efforts in the multi cloud Enhance data privacy for sensitive data, reduce risk in the cloud and establish a high-security ecosystem across AWS, Azure and GCP with customer-managed keys, also known as Bring Your Own Key (BYOK). With Unified Key Orchestrator, you can create, manage, and delete your cryptographic keys from one point of control, without dealing with different user interfaces. Ensure an efficient and fully audited key lifecycle management. Protect data in multi cloud environment

Encrypt Kubernetes Secrets with HPCS Safeguard highly sensitive data by using your own keys for encryption and manage your encryption keys with complete control. Hyper Protect Crypto Services creates highly secure keys and provides you with the exclusive control over the entire key hierarchy, including the master key of the HSM that protects the secrets as a service. Learn more

Use Secure HSM generated Key for HashicorpVault Learn how to integrate the FIPS 140-2 Level 4 certified HSM of IBM Cloud Hyper Protect Crypto Services with the auto-unseal and seal-wrap features of HashiCorp Vault Enterprise for privileged access management. Learn more

Enhance your data security posture in VMware Encrypt this storage through highly secure, industry-standard algorithms. To ensure that your sensitive and valuable data is protected, you can now leverage the KMIP adapter to use keys under your control from IBM Cloud Hyper Protect Crypto Services.

Protect data by pervasively encryption Data at rest and in transit with KYOK The data in IBM Cloud services is encrypted with randomly generated keys. To enhance protection, you can control the encryption keys and use your own keys to encrypt your data. Additionally, you can use root keys in Hyper Protect Crypto Services to your cloud service of choice and leverage envelope encryption to add another layer of protection - keep your own key (KYOK)- to your data, no one else including IBM Cloud administrators can access your data. Start to encrypt Integrated IBM Cloud Services with KYOK

Resources IBM Cloud Hyper Protect Crypto Services docs

Discover procedures, API, and CLI references as well as video resources that assist you to securely manage your keys using Hyper Protect Crypto Services.

Explore an overview of IBM Cloud® Hyper Protect Crypto Services for VMware.

Learn how to securely manage AWS S3 encryption keys using Hyper Protect Crypto Services with Unified Key Orchestrator.

Related products IBM Hyper Protect Virtual Servers

Gain authority over LinuxONE virtual servers for workloads with sensitive data or business IP.

IBM Hyper Protect Virtual Servers (On-premises)

Read the announcement about the new on-premises solution that lets you securely build deploy and manage critical applications for hybrid cloud.

Unified Key Orchestrator
 for IBM z/OS

A key management solution that centrally orchestrates and secures the lifecycle of encryption keys across your enterprise for both on premises and multiple cloud environments.

Get started

Use Promo Code HPCRYPTO30 to get two production grade crypto units at no charge for 30 days or book a meeting to get a trial instance completely free.

See product pricing
More ways to explore Documentation