Key Protect integration

The data that you store in IBM® Db2® Warehouse on Cloud is encrypted by default using randomly generated keys. If you need to control the encryption keys, you can use IBM Key Protect to create, add, and manage encryption keys. Then, you can associate those keys with your Db2 Warehouse on Cloud deployment to encrypt your Db2 databases.

To get started, you need Key Protect provisioned on your IBM Cloud account.

Creating or adding a key in Key Protect

Navigate to your instance of Key Protect and generate or enter a key.

Granting service authorization

Authorize Key Protect for use with Db2 Warehouse on Cloud deployments:

Open your IBM Cloud dashboard.
From the menu bar, select Manage > Access (IAM).
In the side navigation, select Authorizations. Click Create.
In the Source service menu, select the service of the deployment. For example, Db2 Warehouse.
In the Source service instance menu, select All service instances.
In the Target service menu, select Key Protect.
In the Target service instance menu, select the service instance to authorize.
Enable the Reader role. Click Authorize.

Using the Key Protect key

After you grant your Db2 Warehouse instance permission to use your keys, you supply the Key Protect information on the Console Administration -> Security -> Manage Keys tab. You must provide the name of the Key Protect instance and the key that was created in the "Creating or adding a key in Key Protect" section. After the information is provided, you then migrate the instance to Key Protect managed keys.