IBM Cloud® Hyper Protect Crypto Services is an as-a-service (aaS) key management and encryption solution, which gives you full control over your encryption keys for data protection.
The integrated Unified Key Orchestrator acts as a secure key repository for distributing and orchestrating keys across multiple clouds, enabling quick recovery from key loss or disasters. With Hyper Protect Crypto Services, you can:
- build on the highest level of security with FIPS 140-2 level 4 certified hardware;
- experience a worry-free approach to multicloud key management through the all-in-one as-a-service solution and benefit from automatic key backups and built-in high availability secure business continuity and disaster recovery;
- manage your keys seamlessly across multiple cloud environments and create keys securely and bring your own key seamlessly to hyperscalers such as Microsoft Azure AWS and Google Cloud Platform to enhance the data security posture and gain key control; and
- protect data by pervasively encrypting data at rest and in transit with Keep Your Own Key (KYOK), having full control and authority over encryption keys and sole access to your master key.
Features
Create keys securely and seamlessly in a multicloud environment, including Microsoft Azure, AWS and Google Cloud Platform. Manage your keys under your exclusive control with a generic key lifecycle model based on NIST recommendations.
Use the API to interact with the key management service (KMS) to manage root keys and standard keys. The service is built on FIPS 140-2 Level 4 certified hardware and PKCS #11 is supported. Single-tenant dedicated HSM domains are fully controlled by you, and IBM Cloud administrators have no access—the highest security offered by any cloud provider in the industry.
Additional features
Encrypt IBM Cloud services with keys under your control through KYOK integration for consistent adoption. Use a user-friendly GUI and Cloud APIs to track key lifecycles, ensuring unrecoverable deletion of data regardless of the source application.
Take ownership of HSM. IBM is the first to provide cloud command-line interface (smart cards) for the HSM key ceremony to operate your HSM fully remotely. Key ceremony and smart cards management software is made available in the offering (with no extra charge).
Use a built-in central backup to redistribute and rotate keys to quickly recover from loss and minimize security threats. High availability and disaster recovery are available in the offering.
Use cases
Discover business scenarios of Hyper Protect Crypto Services.
The data in IBM Cloud services is encrypted with randomly generated keys. To enhance protection, you can control the encryption keys and use your own keys to encrypt your data. Also, you can use root keys in Hyper Protect Crypto Services to your cloud service of choice and leverage envelope encryption to add another layer of protection, KYOK, to your data, no one else including IBM Cloud administrators can access your data.
Enhance data privacy for sensitive data, reduce risk in the cloud and establish a high-security ecosystem across AWS, Azure and GCP with customer-managed keys, also known as Bring Your Own Key (BYOK). With Unified Key Orchestrator, you can create, manage, and delete your cryptographic keys from one point of control, without dealing with different user interfaces. Ensure an efficient and fully audited key lifecycle management.
Safeguard highly sensitive data by using your own keys for encryption and manage your encryption keys with complete control. Hyper Protect Crypto Services creates highly secure keys and provides you with the exclusive control over the entire key hierarchy, including the master key of the HSM that protects the secrets as a service.
Learn how to integrate the FIPS 140-2 Level 4 certified HSM of IBM Cloud Hyper Protect Crypto Services with the auto-unseal and seal-wrap features of HashiCorp Vault Enterprise for privileged access management.
Encrypt this storage through highly secure, industry-standard algorithms. To ensure that your sensitive and valuable data is protected, you can now leverage the KMIP adapter to use keys under your control from IBM Cloud Hyper Protect Crypto Services.
The data in IBM Cloud services is encrypted with randomly generated keys. To enhance protection, you can control the encryption keys and use your own keys to encrypt your data. Additionally, you can use root keys in Hyper Protect Crypto Services to your cloud service of choice and leverage envelope encryption to add another layer of protection - keep your own key (KYOK)- to your data, no one else including IBM Cloud administrators can access your data.