Archived | Render your data useless to hackers
Provide the highest assurance of data protection at rest and while processing
Ensuring sensitive data is secure is top of mind for everyone, particularly those who work with sensitive health data. Hyper Protect cloud services built on IBM LinuxONE take security to the next level. The DBaaS service brings inherent data encryption both at rest and in flight without any application changes, and unlike other DBaaS cloud services, it ensures that you are the only one with access to your data. The Crypto service allows you to have complete control of encryption key management where cloud admins have no access to the keys.
One unfortunate side effect of natural disasters is that they often lead to desperate and malicious acts that can put valuable data at risk. If you are building an application that stores personal information — about the people impacted by a disaster, sensitive medical information, financial data, etc. — then data security is not an option, it’s a must. I’ll show you how to easily infuse security into your application with key management services to render data useless to hackers.
IBM Cloud Hyper Protect Crypto Services is a complete set of encryption and key management services that are backed by LinuxONE technology; the same state-of-the-art cryptographic technology that banks and financial services rely on is now available to cloud users.
Most mobile applications rely on server back ends for centralized services. This programming example shows you how to integrate IBM’s Hyper Protect Crypto Services into your app infrastructure quickly and easily without specialized skills.
Using the instructions below, you will create your own instance of the Hyper Protect Crypto Service and then address your cryptographic requests to it. This will allow you to rely on execution under physical protection of the Hardware Security Module (HSM). What does this mean? Keys — or the actual value of the keys, to be more precise — stay securely hidden within this special hardware, while a predefined set of cryptographic operations can be performed referencing the key material. Encrypt and decrypt are the most popular operations, but PKCS#11-compliant HSMs provide access to sign, verify, key generation, and much more. In addition, you have a choice of various key types and sizes to best match your requirements.
There are no technical prerequisites for completing this how-to.
It should take you about 30 minutes to complete this activity.
You can get access to certified PKCS#11 Hardware Security Module-backed cryptographic operations and services in your app in 3 easy steps:
- Get an IBM Cloud Account
- Provision IBM Cloud Crypto
- Install and configure the client libraries
Get an IBM Cloud account
If you already have one, feel free to skip this step. Otherwise:
- Navigate to the IBM Cloud Portal to create your account and select Create a free account.
- Complete the form with your registration data and select Create account.
Selection and initial start of the HPCS
If you haven’t already done so, log in to your IBM Cloud account.
Visit IBM Cloud services catalog to see the list of services.
From the All Categories navigation pane on the left, click Security and Identity.
From the list of services, click the Hyper Protect Crypto Services tile.
Select the Hyper Protect Crypto Services Lite Plan, and click Create to provision an instance of IBM CloudCrypto in the account, region, and resource group where you log in.
After a little time, your new Crypto Service should be up and running. Congratulations, you’re half-way there!
Install and configure the client libraries in your app server
Complete the following steps to install the ACSP client libraries in your local environment:
Download the installation package from the GitHub repository. In the packages folder, choose the installation package file that is suitable for your operating system and CPU architecture. For example, for Ubuntu on x86, choose
Install the package and the ACSP client libraries with the
dpkgcommand. For example,
dpkg -i acsp-pkcs11-client_1.5-3.5_amd64.deb.
Note: At the current experimental stage, Hyper Protect Crypto Services provides only self-signed certificates.
Configure the ACSP client to enable a proper secure communication channel (mutual TLS) to your service instance in the cloud:
In your Hyper Protect Crypto Services service instance in IBM Cloud, select Manage from the left navigator.
On the Manage screen, click the Download Config button to download the
acsp_client_credentials.uuefile to the
/opt/ibm/acsp-pkcs11-client/configdirectory in your local environment.
/opt/ibm/acsp-pkcs11-client/configdirectory, decode the file with the following command:
base64 --decode acsp_client_credentials.uue > acsp_client_credentials.tar
Extract the client credentials file with the following command:
tar xf acsp_client_credentials.tar
Move the server-config files into the default place with the following command:
mv server-config/* ./
Rename the client credentials file with the following command:
mv acsp.properties.client acsp.properties
(Optional) Change group ID of the files with the following command:
chown root.pkcs11 *
Enable ACSP to use the proper config for the service instance in the cloud:
Now your ACSP client is operational and your Hyper Protect Crypto Services is ready to use!
The IBM family of Hyper Protect Services are built as application building blocks that can be used to replace standard cloud componentry with specially hardened variants. These variants provide the highest assurance of data protection not only at rest and in flight, but also while processing.