IBM Cloud Docs
Prerequisites for the Direct Link Dedicated MACsec feature

Prerequisites for the Direct Link Dedicated MACsec feature

Before you can enable and configure MACsec on IBM Cloud Direct Link Dedicated, there are several tasks that need to be completed. These prerequisites ensure that your network is properly prepared for secure communication over a dedicated Ethernet connection.

Verifying MACsec device readiness

Ensure that your MACsec-capable device is properly configured and supports the required encryption standards (such as AES) for your network setup. Verify that the device has the necessary hardware and software support for MACsec, and ensure that its ports or interfaces are configured to enable encryption.

Work with your network provider to select the appropriate data center or Point of Presence (PoP) and confirm that the necessary infrastructure and network connections are in place to support MACsec. Also, ensure that a key management system is in place for secure key exchange, and assess the performance impact to ensure that the device can handle encryption without affecting network speed.

Preparing for key exchange

Configure an HPCS instance on IBM Cloud to manage the encryption keys and ensure that your device is ready for secure key exchange. To do so, follow these steps:

  1. Create a Hyper Protect Crypto Services (HPCS) instance on the standard plan with the Keep Your Own Key capability. For more information, see Provisioning service instances.

  2. Initialize the HPCS instance and load the master keysAn encryption key that is used to protect a crypto unit. The master key provides full control of the hardware security module and ownership of the root of trust that encrypts the chain keys, including the root key and standard key..

    For example, if you choose to use the IBM Cloud Trusted Key Entry (TKE) CLI, here are some basic steps:

  3. After initializing the HPCS instance, add standard keys (using the Import a key option) for any keys that you want to use with MACsec; for example, add a standard key for the primary CAK. Optionally, it is a good idea to configure MACsec with a fallback CAK. To do this, you must add a fallback key to the HPCS instance as well. To add a key, see Hyper Protect Crypto Services catalog page. For instructions, see Getting started with IBM Cloud Hyper Protect Crypto Services.

    The key material that you choose must follow specific MACsec conventions. The key material must be a 64-character hexadecimal string. Note that if you have 32 characters, you can add trailing 0000s to make up the 64 character length. To import the key material into the HPCS instance, it must be base64-encoded.

    This HPCS key is used as the CAK value. When configuring MACsec, you are asked for a CAK name to pair with this key. The same key value pair must be configured on the MACsec keystore on the customer device.

    You must configure the same name and key octet string (value) on your switch. Otherwise, the MACsec key negotiation fails.

  4. After creating keys for Direct Link, you must use IBM Cloud Identity and Access Management (IAM) to grant authorization between your Hyper Protect Crypto Service (HPCS) instance and the Direct Link service. Due to known limitations, you must grant access at the HPCS instance level, which grants the Direct Link service access to all the keys inside that instance. For instructions, see Using authorizations to grant access between services. The Direct Link service will never access any key besides those used for the MACsec feature.

    You should grant access to all keys in the HPCS instance; otherwise, you must grant a new service-to-service authorization each time that you want to use a different key for Direct Link with MACsec. As long as a key is in use by your gateway, it shouldn’t be deleted and the service-to-service authorization must not be revoked.