IBM Cloud Satellite: Run and manage services anywhere Learn more

Archived | Render your data useless to hackers

Archived content

Archive date: 2020-04-22

This content is no longer being updated or maintained. The content is provided “as is.” Given the rapid evolution of technology, some content, steps, or illustrations may have changed.

Ensuring sensitive data is secure is top of mind for everyone, particularly those who work with sensitive health data. Hyper Protect cloud services built on IBM LinuxONE take security to the next level. The DBaaS service brings inherent data encryption both at rest and in flight without any application changes, and unlike other DBaaS cloud services, it ensures that you are the only one with access to your data. The Crypto service allows you to have complete control of encryption key management where cloud admins have no access to the keys.

One unfortunate side effect of natural disasters is that they often lead to desperate and malicious acts that can put valuable data at risk. If you are building an application that stores personal information — about the people impacted by a disaster, sensitive medical information, financial data, etc. — then data security is not an option, it’s a must. I’ll show you how to easily infuse security into your application with key management services to render data useless to hackers.

IBM Cloud Hyper Protect Crypto Services is a complete set of encryption and key management services that are backed by LinuxONE technology; the same state-of-the-art cryptographic technology that banks and financial services rely on is now available to cloud users.

The network-addressable Hardware Security Module provides an industry-standard secure PKCS#11 cryptography API interface that is supported by different programming languages including Java, Javascript, and Swift. It supports secure-key operations and random-number generation through IBM Z cryptographic hardware, FIPS-140-2 level 4 certified technology — the highest level attainable. You can access Hyper Protect Crypto Services through an Advanced Cryptography Service Provider (ACSP) client, which communicates with the ACSP server to enable you to access the back-end cryptographic resources. This is the industry’s first and only FIPS 140-2 Level 4 certified technology in the public cloud market today.

Most mobile applications rely on server back ends for centralized services. This programming example shows you how to integrate IBM’s Hyper Protect Crypto Services into your app infrastructure quickly and easily without specialized skills.

Learning objectives

Using the instructions below, you will create your own instance of the Hyper Protect Crypto Service and then address your cryptographic requests to it. This will allow you to rely on execution under physical protection of the Hardware Security Module (HSM). What does this mean? Keys — or the actual value of the keys, to be more precise — stay securely hidden within this special hardware, while a predefined set of cryptographic operations can be performed referencing the key material. Encrypt and decrypt are the most popular operations, but PKCS#11-compliant HSMs provide access to sign, verify, key generation, and much more. In addition, you have a choice of various key types and sizes to best match your requirements.


There are no technical prerequisites for completing this how-to.

Estimated time

It should take you about 30 minutes to complete this activity.


You can get access to certified PKCS#11 Hardware Security Module-backed cryptographic operations and services in your app in 3 easy steps:

  1. Get an IBM Cloud Account
  2. Provision IBM Cloud Crypto
  3. Install and configure the client libraries

Get an IBM Cloud account

If you already have one, feel free to skip this step. Otherwise:

  1. Navigate to the IBM Cloud Portal to create your account and select Create a free account.
  2. Complete the form with your registration data and select Create account.

Selection and initial start of the HPCS

If you haven’t already done so, log in to your IBM Cloud account.

  1. Visit IBM Cloud services catalog to see the list of services.

  2. From the All Categories navigation pane on the left, click Security and Identity.

  3. From the list of services, click the Hyper Protect Crypto Services tile.

  4. Select the Hyper Protect Crypto Services Lite Plan, and click Create to provision an instance of IBM CloudCrypto in the account, region, and resource group where you log in.

After a little time, your new Crypto Service should be up and running. Congratulations, you’re half-way there!

Install and configure the client libraries in your app server

Complete the following steps to install the ACSP client libraries in your local environment:

  1. Download the installation package from the GitHub repository. In the packages folder, choose the installation package file that is suitable for your operating system and CPU architecture. For example, for Ubuntu on x86, choose acsp-pkcs11-client_1.5-3.5_amd64.deb.

  2. Install the package and the ACSP client libraries with the dpkg command. For example, dpkg -i acsp-pkcs11-client_1.5-3.5_amd64.deb.

Note: At the current experimental stage, Hyper Protect Crypto Services provides only self-signed certificates.

Configure the ACSP client to enable a proper secure communication channel (mutual TLS) to your service instance in the cloud:

  1. In your Hyper Protect Crypto Services service instance in IBM Cloud, select Manage from the left navigator.

  2. On the Manage screen, click the Download Config button to download the acsp_client_credentials.uue file.

  3. Copy the acsp_client_credentials.uue file to the /opt/ibm/acsp-pkcs11-client/config directory in your local environment.

  4. In the /opt/ibm/acsp-pkcs11-client/config directory, decode the file with the following command:

     base64 --decode acsp_client_credentials.uue > acsp_client_credentials.tar
  5. Extract the client credentials file with the following command:

     tar xf acsp_client_credentials.tar
  6. Move the server-config files into the default place with the following command:

     mv server-config/* ./
  7. Rename the client credentials file with the following command:

  8. (Optional) Change group ID of the files with the following command:

     chown root.pkcs11 *
  9. Enable ACSP to use the proper config for the service instance in the cloud:

     export ACSP_P11=/opt/ibm/acsp-pkcs11-client/config/

Now your ACSP client is operational and your Hyper Protect Crypto Services is ready to use!


The IBM family of Hyper Protect Services are built as application building blocks that can be used to replace standard cloud componentry with specially hardened variants. These variants provide the highest assurance of data protection not only at rest and in flight, but also while processing.