IBM HPVS Support

Following our recent support for IBM Crypto Express HSMs, we’re expanding our work with IBM to bring even stronger security to our clients. Dfns’ wallet infrastructure can now run inside IBM Hyper Protect Virtual Servers (HPVS). This goes beyond protecting keys at the hardware level, it secures the entire application runtime. For financial institutions, that means the critical transactions signing operations can now run in a confidential computing environment that’s protected from unauthorized access, even by cloud administrators.

IBM Hyper Protect Virtual Servers, explained

IBM Hyper Protect Virtual Servers (HPVS) is a confidential computing service that keeps Linux-based applications fully isolated and encrypted from end to end. Its core promise is simple. Nobody can access your running workloads; not the cloud provider, not an administrator, and not any other tenant. Everything inside the virtual server (i.e., code, data, and memory) is completely hidden from the outside world, creating a true zero-trust runtime.

How HPVS secures workloads:

1. Built on IBM Z and LinuxONE: HPVS runs only on IBM Z and LinuxONE systems. These mainframe-class machines power much of the global financial system and are known for reliability, fault tolerance, and pervasive encryption. Data is protected everywhere: at rest, in transit, and, with HPVS, even while in use. The platform is optimized for Linux, the standard for modern enterprise and financial applications.
2. Trusted Execution Environment (TEE): At the heart of HPVS is IBM Secure Execution for Linux, a hardware feature that creates a Trusted Execution Environment. This TEE isolates the virtual server completely from the host OS, hypervisor, and other workloads. It’s a secure enclave at the CPU level where only authorized code can run.
3. Encrypted memory: All data in memory is always encrypted. This protects against attacks like memory scraping or cold boot exploits, where someone tries to read sensitive information directly from RAM. Only the CPU inside the enclave can decrypt and process the data.
4. Cryptographic attestation: Before Dfns deploys inside HPVS, it can request a signed attestation report from the hardware. This report proves that the virtual server is genuine, running on trusted IBM hardware, and untampered. We verify this before loading any secrets or code.
5. Secure boot: Every step of the boot process, from firmware to application, is cryptographically signed and verified. This ensures the environment’s integrity and prevents malicious code from entering at any stage.

Why HPVS support matters for financial institutions

Integrating Dfns with HPVS isn’t just a security upgrade, it’s a new way to deploy digital asset infrastructure. It creates a true “zero trust” environment across the entire wallet stack.

• Confidentiality for your business logic: HSMs protect private keys. HPVS goes further by protecting the processing application.
• Protection from insider threats: In most cloud setups, a compromised or malicious admin is the biggest risk. HPVS eliminates this by design. Even users with the highest system privileges can’t access data inside the encrypted virtual server.
• Compliance and audit readiness: For institutions with strict data residency and confidentiality requirements, HPVS helps you prove that sensitive data never leaves its secure enclave unencrypted. This makes audits easier and keeps regulators satisfied.
• A secure path to the cloud: Banks often keep critical systems on-premises for control and security. HPVS bridges that gap, offering the protection of a private data center with the flexibility and scale of the public cloud.

Dfns + IBM: a unified strategy for digital asset security

At Dfns, our goal is to offer a flexible, composable security architecture that helps institutions meet any risk or compliance requirement. With support for IBM Hyper Protect Virtual Servers (HPVS), we’re extending our existing HSM integration to deliver a true multi-layer defense:

• IBM Crypto Express HSMs: Provide FIPS 140-2 Level 4 certified protection for private keys at rest.
• IBM Hyper Protect Virtual Servers: Secure the runtime of wallet applications and their business logic.
• Next: we plan to add support for IBM’s Hyper Protect Offline Signing Orchestrator (OSO) to enable automated, secure management of air-gapped and cold storage assets.

Together, these technologies let our clients build hybrid custody models tailored to their exact security and operational needs. Whether you need the offline protection of OSO or the scalable confidentiality of HPVS, Dfns offers one unified orchestration layer to manage it all. This collaboration gives Dfns and IBM users a powerful way to build the future of finance on a foundation of strong security and confidentiality.

Contact our team to learn how you can deploy Dfns in an IBM Hyper Protect environment today.

‍