Adding or removing crypto units
After you provision a Hyper Protect Crypto Services instance, you can request to add or remove crypto units by raising support tickets in the IBM Cloud® Support Center.
To adjust the number of crypto units, complete the following steps.
Adding crypto units to an existing service instance
Step 1: Request to add crypto units
To add or remove crypto units, you need to first raise a support ticket.
-
In your IBM Cloud dashboard, click the Help icon > Support center from the UI menu bar to enter the Support Center. Click View all in the Recent support cases panel and click Create new case. Or, you can directly go to the Manage cases page and click Create new case.
-
On the Create a case page displayed, select the offering Hyper Protect Crypto Services, and then specify the following values:
Table 1. Describes the fields that are required to add crypto units Field name Action Subject Enter Add crypto units. Description Enter your service instance ID, the region that your service instance resides in, and the number of crypto units you want to add. You can have no more than three crypto units for a service instance. Selected resources Select your Hyper Protect Crypto Services service instance. -
Check the Email me updates about this issue box, and click Continue to review > Create case.
After the operation is completed successfully, you will get an email notification. You can also check the state in the Support Center by clicking the Help icon > Support center from the UI menu bar.
-
To view the number of crypto units in the current service instance, run the
ibm tke cryptounits
command in the CLI. Or you can select the Crypto units tab in the Trusted Key Entry application, depending on how you store your master key parts.
For availability and disaster-recovery capability, if you request to add crypto units, the new crypto units are automatically allocated in different availability zones within the same region.
Before you can use the new crypto units, complete the following two steps to initialize and activate them.
Step 2: Initialize the new crypto units
Depending on how you store your master key parts, you might initialize the new crypto units with the TKE CLI plug-in, or smart cards together with the Management Utilities. Make sure to configure the new crypto units the same as the existing crypto units by referring to the following instructions:
- If you load the master key from your workstation, see Initializing service instances with the IBM Cloud TKE CLI plug-in.
- If you load the master key from smart cards, see Initializing service instances with smart cards and the Management Utilities.
Extra monthly costs apply for each new crypto unit. You can check the detailed charges on the billing and usage page under your account.
Step 3: Request to activate the new crypto units
After you initialize the new crypto units, you need to raise another support ticket to activate them.
-
In your IBM Cloud dashboard, click the Help icon > Support center from the UI menu bar to enter the Support Center. Click View all in the Recent support cases panel and click Create new case. Or, you can directly go to the Manage cases page and click Create new case.
-
On the Create a case page displayed, select the offering Hyper Protect Crypto Services, and then specify the following values:
Table 2. Describes the fields that are required to activate new crypto units Field name Action Subject Enter Activate new crypto units. Description Enter your service instance ID, the region that your service instance resides in, the number of new crypto units, and the case number of the support ticket that is previously raised in step 1. Selected resources Select your Hyper Protect Crypto Services service instance. -
Check the Email me updates about this issue box, and click Continue to review > Create case.
After the activation is completed successfully, you will get an email notification. You can also check the state in the Support Center by clicking the Help icon > Support center from the UI menu bar.
Removing crypto units from an existing service instance
To remove crypto units from an existing service instance, you need to raise a support ticket.
On the Create a case page, enter Remove crypto units as the subject, and include the number of crypto units that you want to remove in the case description.
You need to keep at least two crypto units in a service instance for high availability.
What's next
Now you can use the new set of crypto units to manage encryption keys and perform cryptographic operations.
- Use Hyper Protect Crypto Services as the root key provider for other IBM Cloud services. For more information about integrating Hyper Protect Crypto Services, check out Integrating services.
- To learn more about performing cryptographic operations with the cloud HSM, see Introducing cloud HSM.