Managing your keys with BYOHSM in IBM Cloud Hyper Protect Crypto Services

Objectives

This tutorial shows how you basic steps to manage keys with BYOHSM in Hyper Protect Crypto Services.

Before you begin

To use the BYOHSM function of Hyper Protect Crypto Services, make sure that you have a Pay-As-You-Go or Subscription IBM Cloud account. For details about the IBM Cloud account types, see Account types.

• To check your account type, log in to IBM Cloud and click Management > Account > Account settings.
• If you have a Lite account, make sure to upgrade your account to a Pay-As-You-Go or Subscription account.

Task flow

Get started with BYOHSM by completing the following steps:

• Before you begin
• Step 1: Purchase and set up your on-premises HSMs
• Step 2: Configure and deploy your HSMs to work with Hyper Protect Crypto Services
• Step 3: Contact IBM to get the required information
• Step 4: Provision a Hyper Protect Crypto Services instance with BYOHSM
• Step 5: Use your Hyper Protect Crypto Services instance with BYOHSM

Purchase and set up your on-premises HSMs

If you don't have an HSM for your enterprise, purchase one to connect to your Hyper Protect Crypto Services instance and enable the BYOHSM function. Currently, only Thales SafeNet Luna Network A730 and A750 model HSMs are supported. For more information, see supported types of HSMs. Make sure that you complete the initial setup based on your providers guidelines.

To achieve high availability, it is suggested to prepare and use at least two HSMs.

Configure and deploy your HSMs to work with Hyper Protect Crypto Services

1. Create an application partition in each HSM to store cryptographic objects and perform operations. For more information, see Creating partitions.

2. Create the following keys that are needed to establish a secure HSM connection. For more information, see Creating keys.

   Table 1. Keys needed for Bring Your Own HSM

   Key type	Description
   Master Key Encryption Key (MKEK)	(256-bit AES key) A root level encryption key for wrapping and unwrapping instance keys in Hyper Protect Crypto Services.
   Signing key (SKEY)	(256-bit AES key) Used for signing and verification of instance keys and user keys in Hyper Protect Crypto Services.
   Import Key (IKEY)	(192-bit DES3 key) Used to encrypt and decrypt the key materials to be imported into Hyper Protect Crypto Services.
   Transit Key Encryption Keys (TKEKs)	(10 pairs of RSA asymmetric keys) Used to securely import your own keys into Hyper Protect Crypto Services.

3. Prepare the network to connect the on-premises HSMs to your Hyper Protect Crypto Services instance. For more information about how to achieve better network performance, see Network connectivity best practice.

4. Collect the following information that you need to provide when you contact IBM in Step 3.

   Table 2. Information needed for Bring Your Own HSM

   Attribute	Description
   HSM IP address	The IP address of your HSM.
   HSM server certificate	The NTLS communications that are used by the Thales HSM require certificate exchanges between the HSM and Hyper Protect Crypto Services. You need to create a TLS certificate on your HSM and provide the certificate for Hyper Protect Crypto Services to verify communications from the HSM.
   Partition label	The name of the application partition that you create for Hyper Protect Crypto Services to use.
   Partition crypto officer password	The credential for Hyper Protect Crypto Services to log in to the corresponding application partition to perform key operations.
   Master key label	The label or name of the Master Key Encryption Key (MKEK). The label is used by Hyper Protect Crypto Services to refer to the master key in PKCS #11 API calls.
   Signing key label	The label or name of the Signing key (SKEY). It is used for data authentication such as data signing and verification.
   Import key label	The label or name of the Import key (IKEY). Hyper Protect Crypto Services uses this key to encrypt or decrypt key materials to be imported.
   Transit Key Encryption Key label prefix	The label prefix of the Transit Key Encryption Key that is used for securely importing your own keys.

Contact IBM to get the required information

Contact IBM by creating a support case to get the required information. Provide the information that you collect in Step 2 including the subnets where your HSMs can be reached. Each subnet corresponds to one Availability Zone (AZ).

IBM will then provide you with the following information:

• Your unique HSM connector ID. You need to provide the ID when you provision an instance in step 4.
• The VPC CRN. In your Transit Gateway configuration, you need to request a connection to the VPC CRN.
• The HSM client certificate. You need to install this certificate on your HSMs to ensure that the communications from Hyper Protect Crypto Services can be verified.

Provision a Hyper Protect Crypto Services instance with BYOHSM

Provision a Hyper Protect Crypto Services instance on the service catalog page with the following field values:

• Under Select a pricing plan, select Standard.
• Under Select a location, select a VPC-based region. For the VPC region list, see Regions and locations.
• Under HSM connection, select Bring Your Own HSM.
• Under HSM connector ID, enter the HSM connector ID that you get from IBM. This field is displayed only after you select Bring Your Own HSM for the HSM connection field.

For more information, see Provisioning a Hyper Protect Crypto Services instance with BYOHSM.

Use your Hyper Protect Crypto Services instance with BYOHSM

After you create an instance with the BYOHSM function enabled, you can use your own HSMs for key generation and management. For more information, see the following links:

• Creating key management service (KMS) keys
• Configuring KMIP in Hyper Protect Crypto Services for key management and distribution
• KMS API reference
• KMS CLI reference

What's next

To learn more about BYOHSM, see Introducing Bring Your Own HSM.