This guide shows you how to add IBM CloudTM Hyper Protect Crypto Services (HPCS) as a keystore in Baffle Manager and configure HPCS. A reference for the necessary parameter settings is provided following the walkthrough procedure.
IBM CloudTM Hyper Protect Crypto Services offers a cloud hardware security module (HSM) and key management service. It aims to give you control over your cloud hardware security models and cloud data encryption keys as it is the only service in the market built on FIPS 140-2 Level 4-certified hardware.
The service, which is based on IBM LinuxONE technology, helps to guarantee that only you have access to your keys. Using a dedicated customer-controlled HSM that provides single-tenant key management and key vaulting makes it simple to create encryption keys. You can also bring your own encryption keys to manage instead. Your applications can incorporate cryptographic operations like digital signing and validation because the managed cloud HSM supports industry standards like PKCS #11.
Configure IBM Cloud Hyper Protect Crypto Services (HPCS)
Configure IBM Cloud Hyper Protect Crypto Services by following these steps. You can then add IBM CloudTM Hyper Protect Crypto Services as a keystore in Baffle Manager once this process is finished.
Follow these steps to configure IBM Cloud Hyper Protect Crypto Services (HPCS):
- Get an IBM HPCS Instance ID in one of the following ways:
- Using the IBM CLI – enter the following command in a shell window:
ibmcloud resource service-instance 'HPCS-Baffle-1' - Using the IBM Cloud web console – navigate to `Services and Software` and select the HPCS instance. The GUID is displayed in the sidebar and is what you use for the instanceID.
- Create and retrieve API Key, in the following way:
- Open a web browser and navigate to: https://cloud.ibm.com/iam/apikeys.
- Select Create an IBM Cloud API Key and name the key.
- Copy or download the key after it’s created.
- Create Cloud Object Storage in the resource group.
- Create a Bucket in the COS instance, for example: bm-ibm-bucket
- Generate Service Credentials for the COS Bucket.
- In Object Storage, click on Service Credentials in the side panel. Then click New Credential.
- Enable HMAC and click Add.
NOTE: The cos_hmac_keys give you the AWS S3 access_key_id and secret_access_key.
- Continue with adding IBM Cloud Hyper Protect Crypto Services as a keystore in Baffle Manager.
Add IBM Cloud Hyper Protect Crypto Services as a keystore in Baffle Manager
Use IBM Cloud Hyper Protect Crypto Services as a keystore in Baffle Manager by completing the subsequent steps.
Do the following to add IBM Cloud Hyper Protect Crypto Services as a keystore:
- In the Baffle Manager console, click the key icon in the left navigation bar. The Keystore window appears.
- NOTE:The baffle_credential_store and ibm_crypto_service_url in kmsConfig are the only keystores that appear in the list.
- Click +Keystore. The Add Keystore dialog appears.
- Enter a keystore Name and select IBM Cloud Hyper Protect Crypto Services in the Keystore Type drop-down menu.
- Enter the Instance ID (from step 1 of configuring IBM Cloud Hyper Protect Crypto Services) for the KeyProtect Instance.
- For App Namespace, enter a string to identify the DEKs created for the application.
- For IBM Cloud Hyper Protect Crypto Services Alias, enter a unique string value.
- For the IAM API Key, use the key you created in step 2 of configuring IBM Cloud Hyper Protect Crypto Services.
- You must locate the field Key Management Endpoint URL in order to add a parameter added as ibm_crypto_service_url in kmsConfig. A URL from the HPCS console should be pasted into the Key Management Endpoint URL field. The port number will be at the end of this string.
- For IBM region, specify the region for the IBM Cloud Hyper Protect Crypto Services instance. See Available IBM region listing for more information.
- For the IBM Cloud Object Storage URL, specify the IBM endpoint URL for COS, for example: https://s3.us-south.cloud-object-storage.appdomain.cloud
- Enter the cos_hmac_keys from step 7 (from configuring IBM Cloud Hyper Protect Crypto Services) for the Access Key ID and Secret Key.
- When completed, click Add Keystore.
NOTE: The key will not appear in IBM Cloud Hyper Protect Crypto Services until Baffle Shield has been connected and data encryption migration has occurred.
Available IBM region listing
Regional Endpoints
Region |
Public endpoints |
Dallas |
us-south |
Washington DC |
us-east |
London |
eu-gb |
Frankfurt |
eu-de |
Sydney |
au-syd |
Tokyo |
jp-tok |
Osaka |
jp-osa |
Toronto |
ca-tor |
São Paulo |
br-sao |
Cross Region Endpoints
Region |
Public endpoints |
North America |
us |
Europe |
eu |
Asia Pacific |
ap |
More information
For more information on the following topics, see the related IBM documentation.
- Create IBM Keys Auth – For more information, see the IBM documentation.
- Deploy a Kubernetes cluster – For more information, see the IBM documentation.
- Create an HPCS instance – For more information, see the IBM documentation.
- Create a Cloud Object Store (COS) – For more information, see the IBM documentation.
- Create HMAC keys on the COS – For more information, see the IBM documentation.
Comments
Please sign in to leave a comment.