Taxonomy Icon

Security

One unfortunate side effect of natural disasters is that they often lead to desperate and malicious acts that can put valuable data at risk. If you are building an application that stores personal information — about the people impacted by a disaster, sensitive medical information, financial data, etc. — then data security is not an option, it’s a must. I’ll show you how to easily infuse security into your application with Hyper Protect Crypto Services and key management services to render data useless to hackers.

IBM Cloud Hyper Protect Crypto Services is a complete set of encryption and key management services that are backed by IBM Z technology; the same state-of-the-art cryptographic technology that banks and financial services rely on is now available to cloud users.

The network-addressable Hardware Security Module provides an industry-standard secure PKCS#11 cryptography API interface that is supported by different programming languages including Java, Javascript, and Swift. It supports secure-key operations and random-number generation through IBM Z cryptographic hardware, FIPS-140-2 level 4 certified technology — the highest level attainable. You can access Hyper Protect Crypto Services through an Advanced Cryptography Service Provider (ACSP) client, which communicates with the ACSP server to enable you to access the back-end cryptographic resources. This is the industry’s first and only FIPS 140-2 Level 4 certified technology in the public cloud market today.

Most mobile applications rely on server back ends for centralized services. This programming example shows you how to integrate IBM’s new Hyper Protect Crypto Services into your app infrastructure quickly and easily without specialized skills.

Learning objectives

Using the instructions below, you will create your own instance of the Hyper Protect Crypto Service and then address your cryptographic requests to it. This will allow you to rely on execution under physical protection of the Hardware Security Module (HSM). What does this mean? Keys — or the actual value of the keys, to be more precise — stay securely hidden within this special hardware, while a predefined set of cryptographic operations can be performed referencing the key material. Encrypt and decrypt are the most popular operations, but PKCS#11-compliant HSMs provide access to sign, verify, key generation, and much more. In addition, you have a choice of various key types and sizes to best match your requirements.

Prerequisites

There are no technical prerequisites for completing this how-to.

Estimated time

It should take you about 30 minutes to complete this activity.

Steps

You can get access to certified PKCS#11 Hardware Security Module-backed cryptographic operations and services in your app in 3 easy steps:

  1. Get an IBM Cloud Account
  2. Provision IBM CloudCrypto
  3. Install and configure the client libraries

Get an IBM Cloud account

If you already have one, feel free to skip this step. Otherwise:

  1. Navigate to the IBM Cloud Portal to create your account and select Create a free account.
  2. Complete the form with your registration data and select Create account.

Selection and initial start of the HPCS

If you haven’t already done so, log in to your IBM Cloud account.

  1. Visit IBM Cloud Experimental Services to see the list of services in the experimental phase.

  2. From the All Categories navigation pane on the left, click the Security category under Platform.

  3. From the list of services, click the Hyper Protect Crypto Services tile.

  4. Select the Hyper Protect Crypto Services Lite Plan, and click Create to provision an instance of IBM CloudCrypto in the account, region, and resource group where you log in.

After a little time, your new Crypto Service service should be up and running. Congratulations, you’re half-way there!

Install and configure the client libraries in your app server

Complete the following steps to install the ACSP client libraries in your local environment:

  1. Download the installation package from the GitHub repository. In the packages folder, choose the installation package file that is suitable for your operating system and CPU architecture. For example, for Ubuntu on x86, choose acsp-pkcs11-client_1.5-3.5_amd64.deb.

  2. Install the package and the ACSP client libraries with the dpkg command. For example, dpkg -i acsp-pkcs11-client_1.5-3.5_amd64.deb.

Note: At the current experimental stage, Hyper Protect Crypto Services provides only self-signed certificates.

Configure the ACSP client to enable a proper secure communication channel (mutual TLS) to your service instance in the cloud:

  1. In your Hyper Protect Crypto Services service instance in IBM Cloud, select Manage from the left navigator.

  2. On the Manage screen, click the Download Config button to download the acsp_client_credentials.uue file.

  3. Copy the acsp_client_credentials.uue file to the /opt/ibm/acsp-pkcs11-client/config directory in your local environment.

  4. In the /opt/ibm/acsp-pkcs11-client/config directory, decode the file with the following command:

     base64 --decode acsp_client_credentials.uue > acsp_client_credentials.tar
    
  5. Extract the client credentials file with the following command:

     tar xf acsp_client_credentials.tar
    
  6. Move the server-config files into the default place with the following command:

     mv server-config/* ./
    
  7. Rename the client credentials file with the following command:

     mv acsp.properties.client acsp.properties
    
  8. (Optional) Change group ID of the files with the following command:

     chown root.pkcs11 *
    
  9. Enable ACSP to use the proper config for the service instance in the cloud:

     export ACSP_P11=/opt/ibm/acsp-pkcs11-client/config/acsp.properties
    

Now your ACSP client is operational and your Hyper Protect Crypto Services is ready to use!

Summary

The IBM family of Hyper Protect Services are built as application building blocks that can be used to replace standard cloud componentry with specially hardened variants. These variants provide the highest assurance of data protection not only at rest and in flight, but also while processing.