IBM Cloud Docs
IBM® Key Protect and encryption keys

IBM® Key Protect and encryption keys

The IBM® Key Protect for IBM Cloud® service helps you provision and store encrypted keys for applications across IBM Cloud services, so you can see and manage data encryption and the entire key lifecycle from one central location.

With user-managed encryption, you can bring your own Custom Root Key (CRK) to the cloud or have a Key Management Service (KMS) generate a key for you. You use root keys to encrypt resources across regions. You can encrypt resources with a key that is stored in your regional KMS instance, and you can use root keys from another region.

IBM Key Protect instances for your IBM Spectrum Symphony cluster

Use an IBM Key Protect instance regardless of whether you have the IBM Spectrum Symphony deployment process create one for you or integrate an existing one.

Creating an IBM Key Protect instance and key

Automatically encrypt infrastructure resources through IBM Key Protect for your IBM Spectrum Symphony. To enable this feature for your cluster, always keep the enable_customer_managed_encryption deployment input value as true. The deployment process creates an IBM Key Protect instance and a specific key to encrypt these resources:

  • IBM® Cloud Block Storage for Virtual Private Cloud (Cloud Block Storage)
  • IBM Cloud® File Share
  • IBM Cloud® Object Storage

If the value for enable_customer_managed_encryption is set as false, then the deployment process does not automatically create IBM Key Protect instances or keys and all infrastructure resources are encrypted through provider-managed encryption.

Integrating an existing IBM Key Protect instance and key

If you have an existing IBM Key Protect instance and an encryption key, set the enable_customer_managed_encryption deployment input value as true and then provide the instance ID for the kms_instance_id and the encryption key name for the kms_key_name deployment input variables instead. This way, the deployment process uses these values to encrypt all infrastructure resources for your IBM Spectrum Symphony cluster. If you are providing an existing IBM Key Protect instance, then the user should create the required authorization policy for this instance.

If you are providing an existing kms_key_name for encryption, make sure that the service to service authentication is enabled between KMS and Cloud Block Storage, as well as KMS and VPC File Storage service.