sitemap.md

copyright	lastupdated	keywords	subcollection
years 2021	2021-11-23	site map, doc structure, information architecture	hs-crypto

{:DomainName: data-hd-keyref="APPDomain"} {:DomainName: data-hd-keyref="DomainName"} {:android: data-hd-operatingsystem="android"} {:api: .ph data-hd-interface='api'} {:apikey: data-credential-placeholder='apikey'} {:app_key: data-hd-keyref="app_key"} {:app_name: data-hd-keyref="app_name"} {:app_secret: data-hd-keyref="app_secret"} {:app_url: data-hd-keyref="app_url"} {:authenticated-content: .authenticated-content} {:beta: .beta} {:c#: data-hd-programlang="c#"} {:cli: .ph data-hd-interface='cli'} {:codeblock: .codeblock} {:curl: .ph data-hd-programlang='curl'} {:deprecated: .deprecated} {:dotnet-standard: .ph data-hd-programlang='dotnet-standard'} {:download: .download} {:external: target="_blank" .external} {:faq: data-hd-content-type='faq'} {:fuzzybunny: .ph data-hd-programlang='fuzzybunny'} {:generic: data-hd-operatingsystem="generic"} {:generic: data-hd-programlang="generic"} {:gif: data-image-type='gif'} {:go: .ph data-hd-programlang='go'} {:help: data-hd-content-type='help'} {:hide-dashboard: .hide-dashboard} {:hide-in-docs: .hide-in-docs} {:important: .important} {:ios: data-hd-operatingsystem="ios"} {:java: .ph data-hd-programlang='java'} {:java: data-hd-programlang="java"} {:javascript: .ph data-hd-programlang='javascript'} {:javascript: data-hd-programlang="javascript"} {:new_window: target="_blank"} {:note: .note} {:objectc: data-hd-programlang="objectc"} {:org_name: data-hd-keyref="org_name"} {:php: data-hd-programlang="php"} {:pre: .pre} {:preview: .preview} {:python: .ph data-hd-programlang='python'} {:python: data-hd-programlang="python"} {:route: data-hd-keyref="route"} {:row-headers: .row-headers} {:ruby: .ph data-hd-programlang='ruby'} {:ruby: data-hd-programlang="ruby"} {:runtime: architecture="runtime"} {:runtimeIcon: .runtimeIcon} {:runtimeIconList: .runtimeIconList} {:runtimeLink: .runtimeLink} {:runtimeTitle: .runtimeTitle} {:screen: .screen} {:script: data-hd-video='script'} {:service: architecture="service"} {:service_instance_name: data-hd-keyref="service_instance_name"} {:service_name: data-hd-keyref="service_name"} {:shortdesc: .shortdesc} {:space_name: data-hd-keyref="space_name"} {:step: data-tutorial-type='step'} {:subsection: outputclass="subsection"} {:support: data-reuse='support'} {:swift: .ph data-hd-programlang='swift'} {:swift: data-hd-programlang="swift"} {:table: .aria-labeledby="caption"} {:term: .term} {:tip: .tip} {:tooling-url: data-tooling-url-placeholder='tooling-url'} {:troubleshoot: data-hd-content-type='troubleshoot'} {:tsCauses: .tsCauses} {:tsResolve: .tsResolve} {:tsSymptoms: .tsSymptoms} {:tutorial: data-hd-content-type='tutorial'} {:ui: .ph data-hd-interface='ui'} {:unity: .ph data-hd-programlang='unity'} {:url: data-credential-placeholder='url'} {:user_ID: data-hd-keyref="user_ID"} {:vbnet: .ph data-hd-programlang='vb.net'} {:video: .video}

Site map

{: #sitemap}

Find what you are looking for in the compilation of topics that are available in this documentation set. {: shortdesc}

Getting started

{: #sitemap_getting_started}

Getting started with {{site.data.keyword.cloud_notm}} {{site.data.keyword.hscrypto}}

• Before you begin

• Step 1: Provision the service

• Step 2: Initialize your service instance

• Step 3: Using the key management service and cloud hardware security module

• (Optional) Step 4: Create a {{site.data.keyword.hscrypto}} VPE gateway for VPC

• What's next

Understanding Hyper Protect Crypto Services

{: #sitemap_understanding_hyper_protect_crypto_services}

Overview

• Why {{site.data.keyword.cloud_notm}} {{site.data.keyword.hscrypto}}?

• How does {{site.data.keyword.hscrypto}} work?

• Key features

• What's next

Service architecture

• {{site.data.keyword.hscrypto}} architecture

• {{site.data.keyword.hscrypto}} workload isolation

• Service dependencies

Use cases

• Pervasively protecting data at rest in the cloud

• Using {{site.data.keyword.hscrypto}} as PKCS #11 HSMs

• Using {{site.data.keyword.hscrypto}} as Enterprise PKCS #11 HSMs

• What's next

Security and compliance

• Security readiness

• Compliance readiness

Components and concepts

• Key management service

• Cloud hardware security module

About service instance initialization

{: #sitemap_about_service_instance_initialization}

Initializing your service instance

• Understanding administrators and signature keys

• Understanding imprint mode and signature thresholds

• Understanding the master key

• What's next

Introducing service instance initialization approaches

• Initializing service instances by using smart cards and the Management Utilities

• Initializing service instances by using recovery crypto units

• Initializing service instances by using key part files

About key management service

{: #sitemap_about_key_management_service}

Bringing your encryption keys to the cloud

• Planning ahead for importing key material

• Using import tokens

• What's next

Protecting your data with envelope encryption

• Keys in envelope encryption

• How it works

• Wrapping keys

• Unwrapping keys

• What's next

Monitoring the lifecycle of encryption keys

• Key states and transitions

• Key states and service actions

• Monitoring for lifecycle changes

About cloud hardware security module

{: #sitemap_about_cloud_hardware_security_module}

Introducing cloud HSM

• What is cloud HSM?

• Performing cryptographic operations by accessing the cloud HSM

Introducing PKCS #11

• PKCS #11 implementation components

Introducing EP11 over gRPC

About key rotation

{: #sitemap_about_key_rotation}

Master key rotation

• How master key rotation works

• What's next

Root key rotation

• Comparing your root key rotation options

• How root key rotation works

• Frequency of root key rotation

• What's next

Integrating {{site.data.keyword.cloud_notm}} services with {{site.data.keyword.hscrypto}}

{: #sitemap_integrating__services_with_{{sitedatakeywordhscrypto}}}

Integrating {{site.data.keyword.cloud_notm}} services with {{site.data.keyword.hscrypto}}

• Storage service integrations

• Database service integrations

• Compute service integrations

• Container service integrations

• Ingestion service integrations

• Security service integrations

• Understanding your integration

• What's next

Release notes

{: #sitemap_release_notes}

Release notes

• 30 July 2021

• 30 June 2021

• 30 April 2021

• 31 March 2021

• 28 February 2021

• 31 January 2021

• 31 December 2020

• 30 November 2020

• 30 September 2020

• 31 August 2020

• 31 July 2020

• 30 June 2020

• 30 April 2020

• 31 August 2019

• 30 June 2019

• 31 March 2019

• 28 February 2019

• 31 December 2018

Tutorials on key management service

{: #sitemap_tutorials_on_key_management_service}

Tutorial: Creating and importing encryption keys

• Objectives

• Before you begin

• Task flow

• Create an import token

• Retrieve the import token

• Create an encryption key

• Encrypt the nonce

• Encrypt the key

• Import the key

• Clean up

• Next steps

Tutorial: Configuring KMIP in {{site.data.keyword.hscrypto}} for key management and distribution

• Objectives

• Before you begin

• Task flow

• Grant the service-to-service authorization in IAM

• Configure KMIP for VMWare with {{site.data.keyword.hscrypto}} instance

• Configure a trusted connection between the vCenter Server and KMIP adapter

• What's next

Tutorials on cloud hardware security module

{: #sitemap_tutorials_on_cloud_hardware_security_module}

Tutorial: Using {{site.data.keyword.hscrypto}} PKCS #11 for Oracle Transparent Database Encryption

• Objectives

• Before you begin

• Task flow

• Initialize your {{site.data.keyword.hscrypto}} instance

• Set up the {{site.data.keyword.hscrypto}} PKCS #11 library in your Oracle Database environment

• Set up Oracle Database TDE and encrypt your data

• Next steps

Tutorial: Using {{site.data.keyword.hscrypto}} PKCS #11 for IBM Db2 native encryption

• Objectives

• Before you begin

• Task flow

• Initialize your {{site.data.keyword.hscrypto}} instance

• Set up the {{site.data.keyword.hscrypto}} PKCS #11 library

• Set up Db2 native encryption

• Next steps

Provisioning service instances

{: #sitemap_provisioning_service_instances}

Provisioning service instances

• Before you begin

• Provisioning from the {{site.data.keyword.cloud_notm}} console

• Provisioning from the {{site.data.keyword.cloud_notm}} CLI

• What's next

Initializing service instances

{: #sitemap_initializing_service_instances}

Before you begin

• What's next

Initializing service instances using smart cards and the Management Utilities

{: #sitemap_initializing_service_instances_using_smart_cards_and_the_management_utilities}

Setting up smart cards and the Management Utilities

• Step 1: Order smart cards and smart card readers

• Step 2: Install the smart card reader driver

• Step 3: Install the Management Utilities

• Step 4: Configure smart cards with the Smart Card Utility Program

• What's next

Initializing service instances with smart cards and the Management Utilities

• Before you begin

• Loading the master key from the smart cards

• What's next

Initializing service instances using recovery crypto units

• Initializing service instances

• What's next

Initializing service instances using key part files

• Adding or removing crypto units that are assigned to service instances

• Loading master keys

• What's next

Using a signing service to manage signature keys for instance initialization

• Signing service prerequisites

• Configuring the TKE CLI plug-in to use the signing service

• What's next

Managing instance policies

{: #sitemap_managing_instance_policies}

Managing the network access policy

• Updating the network access policy for your {{site.data.keyword.hscrypto}} instance with the console

• Updating the network access policy for your {{site.data.keyword.hscrypto}} instance with the key management API

• Updating the network access policy for your {{site.data.keyword.hscrypto}} instance with the CLI

• Disabling the network access policy for your {{site.data.keyword.hscrypto}} instance with the key management API

Managing dual authorization of your service instance

• Understanding dual authorization of your service instance

• Enabling dual authorization for your service instance with the console

• Enabling dual authorization for your service instance with the API

• Disabling dual authorization for your service instance with the console

• Disabling dual authorization for your service instance with the key management API

Managing the key create and import access policy

• Understanding the key create and import access settings

• Enabling or updating the key create and import access policy for your service instance with the console

• Enabling and updating the key create and import access policy for your service instance with the API

• Disabling the key create and import access policy for your service instance with the key management API

Retrieving an access token

{: #sitemap_retrieving_an_access_token}

Retrieving an access token

• Retrieving an access token with the CLI

• Retrieving an access token with the API

Retrieving your instance ID

{: #sitemap_retrieving_your_instance_id}

Retrieving your instance ID

• Viewing your instance ID with the console

• Retrieving an instance ID with the CLI

• Retrieving an instance ID with the API

Setting up API calls

{: #sitemap_setting_up_api_calls}

Managing your keys with the key management API

• Retrieving your IBM Cloud credentials

• Forming your key management API request

• What's next

Performing cryptographic operations with the PKCS #11 API

• Prerequisites

• Step 1: Set up the PKCS #11 library

• Step 2: (Optional) Verify the integrity and authenticity of the PKCS #11 library

• Step 3: Set up the PKCS #11 configuration file

• Step 4: Use the PKCS #11 library to make PKCS #11 API calls

• What's next

Performing cryptographic operations with the GREP11 API

• Retrieving your IBM Cloud credentials

• Generating a GREP11 API request

• What's next

Enabling the second layer of authentication for EP11 connections

• Security and availability best practices for enabling mutual TLS authentication

• Before you begin

• Step 1: Configure the administrator signature key

• Step 2: Set up the client CA certificate for authentication

• Step 3: Establish mutual TLS connections for EP11 applications

• (Optional) Disabling mutual TLS connections

• What's next

Performing key management operations with the CLI

{: #sitemap_performing_key_management_operations_with_the_cli}

Performing key management operations with the CLI

• What's next

Setting up Terraform for {{site.data.keyword.hscrypto}}

{: #sitemap_setting_up_terraform_for_}

Setting up Terraform for {{site.data.keyword.hscrypto}}

• Example: Provisioning and initializing service instances by using Terraform

• What's next?

Managing master keys

{: #sitemap_managing_master_keys}

Rotating master keys by using smart cards and the Management Utilities

• Before you begin

• Rotating master keys using smart cards and the Management Utilities

• What's next

Rotating master keys by using recovery crypto units

• Rotating master keys

• What's next

Rotating master keys by using key part files

• Before you begin

• Rotating master keys by using key part files

• What's next

Recovering a master key from a recovery crypto unit

• Before you begin

• Recovering master keys

• What's next

Managing key management service keys

{: #sitemap_managing_key_management_service_keys}

Creating keys

{: #sitemap_creating_keys}

Creating root keys

• Creating root keys with the console

• Creating root keys with the API

• What's next

Creating standard keys

• Creating standard keys with the console

• Creating standard keys with the API

• What's next

Managing key rings

• Creating key rings

• Granting access to a key ring

• Listing key rings

• Deleting key rings

Managing key aliases

• Creating key aliases

• Deleting key aliases

• APIs that use key alias

Importing keys

{: #sitemap_importing_keys}

Importing root keys

• Importing root keys with the console

• Importing root keys with the API

• Importing root keys with the CLI

• Base64 encoding your key material

• What's next

Importing standard keys

• Importing standard keys with the console

• Importing standard keys with the API

• Importing stardard keys with the CLI

• Base64 encoding your key material

• What's next

Creating import tokens

• Creating an import token with the API

• Creating an import token with the CLI

• Retrieving an import token with the API

• Retrieving an import token with the CLI

• What's next

Viewing keys

{: #sitemap_viewing_keys}

Viewing a list of root keys or standard keys

• Viewing root keys or standard keys with the console

• Viewing root keys or standard keys with the key management API

Viewing details about a root key or a standard key

• Viewing key details with the {{site.data.keyword.cloud_notm}} console

• Viewing key details with the key management API

Retrieving a root key or a standard key

• Retrieving a key with the key management API

Protecting keys

{: #sitemap_protecting_keys}

Wrapping data encryption keys with root keys

• Wrapping keys by using the API

Unwrapping data encryption keys with root keys

• Unwrapping keys by using the API

• Decoding your key material

Rewrapping data encryption keys with root keys

• Rewrapping keys by using the API

Rotating keys

{: #sitemap_rotating_keys}

Rotating root keys based on the rotation policy

• Managing rotation polices in the console

• Managing rotation policies with the API

• What's next

Rotating root keys manually

• Rotating root keys in the console

• Rotating root keys with the API

• What's next

Viewing root key versions

• Viewing root key versions with the key management API

Disabling root keys

• Disabling and enabling root keys with the console

• Disabling and enabling root keys with the API

Deleting keys

{: #sitemap_deleting_keys}

Deleting keys by using a single authorization

• Deleting keys with the console

• Deleting keys with the API

• What's next

Deleting keys by using dual authorization

• Considerations for deleting a key using dual authorization

• Authorize deletion for a key with the console

• Authorize deletion for a key with the API

• What's next

Setting dual authorization policies for keys

• Managing dual authorization policies with the key management API

Restoring keys

• How do I know whether a key can be restored?

• Restoring a deleted key with the console

• Restoring a deleted key with the API

Managing protected resources associated with root keys

{: #sitemap_managing_protected_resources_associated_with_root_keys}

Viewing associations between root keys and encrypted {{site.data.keyword.cloud_notm}} resources

• Viewing protected resources with the console

• Viewing protected resources with the API

• What's next

Synchronizing associated resources

• Syncing associated resources with the console

• Syncing associated resources with the API

Managing Enterprise PKCS #11 keystores and keys

{: #sitemap_managing_enterprise_pkcs_11_keystores_and_keys}

Managing EP11 keystores with the {{site.data.keyword.cloud_notm}} console

• Before you begin

• Viewing EP11 keystores

• Creating EP11 keystores

• Deleting EP11 keystores

• What's next

Managing EP11 keys with the {{site.data.keyword.cloud_notm}} console

• Before you begin

• Viewing EP11 keys

• Creating EP11 keys

• Deleting EP11 keys

• What's next

Enabling crypto mechanisms

{: #sitemap_enabling_crypto_mechanisms}

Enabling crypto mechanisms

• Enabling BIP32 deterministic wallets

• Enabling Edwards-curve Digital Signature Algorithm

• Enabling the Schnorr algorithm

• What's next

Adding or removing crypto units

{: #sitemap_adding_or_removing_crypto_units}

Adding or removing crypto units

• Adding crypto units to an existing service instance

• Removing crypto units from an existing service instance

• What's next

Enabling or adding failover crypto units after you provision a service instance

{: #sitemap_enabling_or_adding_failover_crypto_units_after_you_provision_a_service_instance}

Enabling or adding failover crypto units after you provision a service instance

• Using the {{site.data.keyword.cloud_notm}} CLI

• Using the Management Utilities

• What's next

Deleting service instances

{: #sitemap_deleting_service_instances}

Deleting service instances

• Step 1: Zeroize crypto units

• Step 2: Optional - Uninstall the {{site.data.keyword.hscrypto}} utilities

• Step 3: Delete your service instance

Restoring your data from another region

{: #sitemap_restoring_your_data_from_another_region}

Restoring your data from another region

• Restoring your data by using failover crypto units

• Restoring your data by opening an IBM support ticket

• What's next

Enhancing security

{: #sitemap_enhancing_security}

Managing user access

• Roles and permissions

• Managing access to multiple instances

• What's next

Granting access to keys

• Granting access to all keys in an instance

• Granting access to a single key in an instance

• Granting access to key rings in an instance

Granting users access to manage EP11 keystores and keys

{: #sitemap_granting_users_access_to_manage_ep11_keystores_and_keys}

Granting users access to manage EP11 keystores and keys through UI

• (Optional) Step 1: Create custom IAM roles

• Step 2: Assign IAM roles to users

• What's next

Setting up PKCS #11 API user types

• PKCS #11 user types

• Step 1: Create custom IAM roles

• Step 2: Create service IDs and API keys for the SO user, normal user, and anonymous user

• Step 3: Assign IAM roles to the service IDs

• What's next

Privately connecting to Hyper Protect Crypto Services

{: #sitemap_privately_connecting_to_hyper_protect_crypto_services}

Using virtual private endpoints for VPC to privately connect to {{site.data.keyword.hscrypto}}

• Before you begin

• Setting up a VPE for {{site.data.keyword.hscrypto}}

• Using your VPE for {{site.data.keyword.hscrypto}}

Using service endpoints to privately connect to {{site.data.keyword.hscrypto}}

• Understanding the network access policy

• Before you begin

• Step 1: Configure the private network of {{site.data.keyword.cloud_notm}} on your virtual server

• Step 2: Provision a service instance and select the network access

• Step 3: Target the {{site.data.keyword.hscrypto}} private endpoint for the TKE CLI plug-in

• Step 4: Initialize the service instance

• Step 5: Target the {{site.data.keyword.hscrypto}} private endpoint for key management service

• Step 6: Test your private network connection

• What's next

Auditing events for {{site.data.keyword.hscrypto}}

• Supported events

• Viewing events

• Analyzing successful events

• Analyzing failed events

• Event severity

Managing security and compliance with {{site.data.keyword.hscrypto}}

• Governing {{site.data.keyword.hscrypto}} resource configuration with config rules

API reference

{: #sitemap_api_reference}

Key management API

{: #sitemap_key_management_api}

{{site.data.keyword.hscrypto}} key management API change log

• API versioning

• April 2021

Cryptographic operations: PKCS #11 API

• Installing and configuring PKCS #11 library

• Error handling

• Verifying that keys are protected by crypto units

• PKCS #11 function list

• Supported mechanisms

• Supported attributes and key types

• Supported curves

• Standard PKCS #11 API reference

Cryptographic operations: GREP11 API

• Accessing the API

• Error handling

• GREP11 function list

• Supported mechanisms

• Supported attributes and key types

• Supported curves

• Performing cryptographic operations with GREP11 functions

• Retrieving supported crypto algorithms

• Generating and deriving keys

• Protecting keys

• Retrieving and modifying attributes for keys

• Generating random data

• Encrypting and decrypting data

• Signing and verifying data

• Protecting data integrity through message digests

• Code examples

CLI reference

{: #sitemap_cli_reference}

{{site.data.keyword.hscrypto}} CLI change log

• {{site.data.keyword.cloud_notm}} TKE CLI plug-in

• {{site.data.keyword.cloud_notm}} {{site.data.keyword.hscrypto}} certificate manager CLI plug-in

{{site.data.keyword.cloud_notm}} {{site.data.keyword.hscrypto}} CLI

• {{site.data.keyword.hscrypto}} key management CLI plug-in

• {{site.data.keyword.hscrypto}} Trusted Key Entry CLI plug-in

• {{site.data.keyword.hscrypto}} certificate manager CLI plug-in

Terraform reference

{: #sitemap_terraform_reference}

Provisioning and initializing service instances with Terraform{: external}

Managing key management service keys with Terraform{: external}

Regions and locations

{: #sitemap_regions_and_locations}

Regions and locations

• Available regions

• Connectivity options

• Service endpoints

{{site.data.keyword.hscrypto}} cloud TKE procedures

{: #sitemap__cloud_tke_procedures}

{{site.data.keyword.hscrypto}} cloud TKE procedures

Smart card security considerations

{: #sitemap_smart_card_security_considerations}

Smart card security considerations

• Considerations for defining the Management Utilities security policy

Understanding your responsibilities when using {{site.data.keyword.cloud_notm}} {{site.data.keyword.hscrypto}}

{: #sitemap_understanding_your_responsibilities_when_using__{{sitedatakeywordhscrypto}}}

Understanding your responsibilities when using {{site.data.keyword.cloud_notm}} {{site.data.keyword.hscrypto}}

• Incident and operations management

• Change management

• Identity and access management

• Security and regulation compliance

• Disaster recovery

High availability and disaster recovery

{: #sitemap_high_availability_and_disaster_recovery}

High availability and disaster recovery

• Locations, tenancy, and availability

• In-region data redundancy and failover

• Cross-region disaster recovery

Open-source licenses

{: #sitemap_open-source_licenses}

Open-source licenses

• {{site.data.keyword.hscrypto}} notices and information

• Hosting appliance notices and information

FAQs

{: #sitemap_faqs}

General FAQs

• What's {{site.data.keyword.cloud_notm}} {{site.data.keyword.hscrypto}}?

• What is a key management service?

• What is Hardware Security Module?

• What is a cloud HSM?

• How does {{site.data.keyword.hscrypto}} provide a single-tenant cloud service?

• What are the responsibilities of users and {{site.data.keyword.cloud_notm}} for {{site.data.keyword.hscrypto}}?

• How is this service different from {{site.data.keyword.cloud_notm}} HSM?

• How is {{site.data.keyword.hscrypto}} different from {{site.data.keyword.keymanagementserviceshort}}?

• How is Keep Your Own Key different from Bring Your Own Key?

• What can I do with {{site.data.keyword.cloud_notm}} {{site.data.keyword.hscrypto}}?

• How do I know whether {{site.data.keyword.hscrypto}} is right for my company?

• How does {{site.data.keyword.hscrypto}} work?

• What crypto card does {{site.data.keyword.hscrypto}} use?

• Which IBM regions are {{site.data.keyword.hscrypto}} available in?

• I have workloads in a data center where {{site.data.keyword.hscrypto}} is not available. Can I still subscribe to this service?

FAQs: Pricing

• How am I charged for my use of {{site.data.keyword.hscrypto}}?

• Is there a free trial for {{site.data.keyword.hscrypto}}?

FAQs: Provisioning and operations

• Are there any prerequisites for using {{site.data.keyword.hscrypto}}?

• How to initialize {{site.data.keyword.hscrypto}} service instances?

• Are there any recommendations on how to set up smart cards?

• How can I procure smart cards and smart card readers?

• How many crypto units shall I set up in my service instance?

• Can I use {{site.data.keyword.hscrypto}} along with other {{site.data.keyword.cloud_notm}} services?

• How does my application connect to a {{site.data.keyword.hscrypto}} service instance?

• Can I generate master key on-premises and store the master key parts in the smart cards?

• Can I import root keys from an on-premises HSM?

• Can I use {{site.data.keyword.hscrypto}} only for cryptographic operations, but use other {{site.data.keyword.cloud_notm}} services such as {{site.data.keyword.keymanagementserviceshort}} for key management?

• Can I use {{site.data.keyword.hscrypto}} for applications hosted in other cloud service providers such as AWS, Azure, and GCP?

FAQs: Performance and capacity

• How many keys can be stored in a {{site.data.keyword.hscrypto}} service instance?

• Can I add or remove crypto units after I provision a service instance?

• Is there a Service Level Agreement (SLA) specifically for {{site.data.keyword.hscrypto}}?

FAQs: Security and compliance

• How can I manage user access to my service instances? Does IBM have access to my instances?

• How does IBM offer a unique and secure process for service initialization (key ceremony)?

• What is a 140-2 FIPS Level 4 Certification and how can I validate it?

• What is the difference between FIPS 140-2 Level 1, 2, 3, and Level 4?

• How to understand the key hierarchy for {{site.data.keyword.hscrypto}} KYOK?

• How does EP11 differ from PKCS #11?

• What EP11 mechanisms are supported by the GREP11 functions?

• What compliance standards does {{site.data.keyword.hscrypto}} meet?

• Can I monitor my service instance?

FAQs: High availability and disaster recovery

• How do I set up a high availability configuration?

• Can I back up my service instance manually?

• What happens if my service instance fails?

• How can I restore the content from backups?

• What happens if I delete my service instances?

• Can I back up the keys before I delete a service instance?

• What happens when I delete a key?

• What happens if I lose the signature key or the master key parts?

FAQs: Support and maintenance

• How is routine maintenance performed on {{site.data.keyword.hscrypto}}?

• How do I get support for {{site.data.keyword.hscrypto}}?

Troubleshooting key management API or CLI

{: #sitemap_troubleshooting_key_management_api_or_cli}

Why am I not authorized to make key management API request?

Why can't I view or list keys?

Why can't I view or list specific keys?

Why am I receiving a CKR_IBM_WK_NOT_INITIALIZED error when I use CLI or API?

Troubleshooting IBM Cloud console

{: #sitemap_troubleshooting_ibm_cloud_console}

Why can't I create or import keys?

Why can't I delete keys?

Why can't I rotate root keys?

Why can't I delete an initialized service instance?

Troubleshooting Trusted Key Entry

{: #sitemap_troubleshooting_trusted_key_entry}

Why am I not authorized when running TKE CLI plug-in commands?

Why can't I list crypto units?

Why can't I change signature thresholds?

Troubleshooting smart cards and the Management Utilities

{: #sitemap_troubleshooting_smart_cards_and_the_management_utilities}

Why am I not authorized when I start the Trusted Key Entry application?

Why am I receiving a blocked PIN on EP11 smart card error?

Why am I receiving a no smart card readers found error when I use the Management Utilities?

Troubleshooting master key rotation

{: #sitemap_troubleshooting_master_key_rotation}

Why do I fail to load the new master key during the master key rotation process?

Why can't I rotate master keys by using key part files?

Why can't I rotate master keys by using smart cards?

Why can't I rotate master keys by using recovery crypto units?

Getting help and support

{: #sitemap_getting_help_and_support}

Getting help and support