IBM Cloud Docs
Securing your data in App ID

Securing your data in App ID

To ensure that you can securely manage your data when you use IBM Cloud® App ID, it is important to know exactly what data is stored and encrypted and how you can delete any stored personal data.

How your data is stored and encrypted in App ID

App ID stores and encrypts user profile attributes. As a multi-tenant service, every tenant has a designated encryption key and user data in each tenant is encrypted with only that tenant's key. App ID ensures that private information is encrypted before it is stored.

You can add a higher level of encryption control to your data at rest (when it is stored) by enabling integration with a Key Management Service (KMS). The data that you store in IBM Cloud is encrypted at rest by using envelope encryption. If you need to control the encryption keys, you can integrate Key Protect or Hyper Protect Crypto Services. This process is commonly referred to as Bring Your Own Key (BYOK). With Key Protect and Hyper Protect Crypto Services, you can create, import, and manage encryption keys. You can assign access policies to the keys, assign users or service IDs to the keys, or give the key access only to a specific service.

Managing your own keys

App ID uses envelope encryption to implement both provider-managed and customer-managed keys. Envelope encryption describes encrypting one encryption key with another encryption key. The key used to encrypt the actual data is known as a data encryption key (DEK). The DEK itself is never stored but is wrapped by a second key that is known as the key encryption key (KEK) to create a wrapped DEK. To decrypt data, the wrapped DEK is unwrapped to get the DEK. This process is possible only by accessing the KEK, which in this case is your root key that is stored in your KMS. Key Protect keys are secured by FIPS 140-2 Level 3 certified cloud-based hardware security modules (HSMs), and Hyper Protect Crypto Services keys are secured by FIPS 140-2 Level 4 certified cloud-based HSMs.

Enabling customer-managed keys for App ID by using Key Protect

If you choose to work with a key that you manage, you must ensure that valid IAM authorization is assigned to the App ID service.

  1. Create an instance of Key Protect.
  2. Generate or import your own root key to your instance of Key Protect. When you use Key Protect to create a root key, the service generates cryptographic key material that is rooted in cloud-based HSMs. Be sure that the name of your key does not contain any personal information such as your name or location.
  3. Grant service access to Key Protect. You must be the account owner or an administrator for the instance of Key Protect that you're working with. You must also have at least Viewer access for the App ID service.
    1. Go to Manage > Access IAM > Authorizations.
    2. Create an authorization to allow access to Key Protect.
    3. Select the source account.
    4. Select App ID as your source service.
    5. Select Key Protect as your target service.
    6. Specify the scope of the access.
    7. Assign the Reader role.
    8. Click Authorize.
  4. Create an instance of the App ID service.
    1. Select your Key Protect instance.
    2. Select the root key that you previously authorized.
    3. Click Create.

App ID supports state changes to your key.

Rotating your keys

When you rotate your KEK, App ID rewraps the DEKs associated with the rotated key, ensuring that your user data is always protected with your up-to-date encryption key.

Deleting your keys

When you delete your KEK, user data becomes inaccessible within 4 hours of deletion. Although user data is not destroyed when a key is deleted, App ID is no longer able to decrypt the user data, making it inaccessible.

Enabling customer-managed keys for App ID by using Hyper Protect Crypto Services

If you choose to work with a key that you manage, you must ensure that valid IAM authorization is assigned to the App ID service.

  1. Create an instance of Hyper Protect Crypto Services.
  2. Initialize your instance by loading a master key from smart cards or from your workstation.
  3. Generate or import your own root key to your instance of Hyper Protect Crypto Services. When you use Hyper Protect Crypto Services to create a root key, the service generates cryptographic key material that is rooted in cloud-based HSMs. Be sure that the name of your key does not contain any personal information such as your name or location.
  4. Grant service access to Hyper Protect Crypto Services. You must be the account owner or an administrator for the instance of Hyper Protect Crypto Services that you're working with. You must also have at least Viewer access for the App ID service.
    1. Go to Manage > Access IAM > Authorizations.
    2. Create an authorization to allow access to Key Protect.
    3. Select the source account.
    4. Select App ID as your source service.
    5. Select Hyper Protect Crypto Services as your target service.
    6. Specify the scope of the access.
    7. Assign the Reader role.
    8. Click Authorize.
  5. Create an instance of the App ID service.
    1. Select your Hyper Protect Crypto Services instance.
    2. Select the root key that you previously authorized.
    3. Click Create.

App ID supports state changes to your key.

Rotating your keys

When you rotate your KEK, App ID rewraps the DEKs associated with the rotated key, ensuring your user data is always protected with your up-to-date encryption key.

Deleting your keys

When you delete your KEK, user data becomes inaccessible within 4 hours of deletion. Although user data is not destroyed when a key is deleted, App ID is no longer able to decrypt the user data, making it inaccessible.

Deleting your data in App ID

When you delete an instance of App ID, all the user-associated data is also deleted. When the service instance is deleted, a 7-day reclamation period begins. During that time, you are able to restore the instance and all the user-associated data. However, if the instance and data are permanently deleted, it cannot be restored. App ID does not store any data from permanently deleted instances.

The App ID data retention policy describes how long your data is stored after you delete the service. The data retention policy is included in the App ID service description, which you can find in the IBM Cloud Terms and Notices.

Deleting an instance

If you no longer need an instance of App ID, you can delete the service instance and any data that is stored. You can also choose to delete your service instance by using the console.

  1. Delete the service and place it in a reclamation period of 7 days.

    ibmcloud resource service-instance-delete <serviceName>

  2. Optional: To permanently delete your instance, get the reclamation ID.

    ibmcloud resource reclamations --resource-instance-id <tenantID>

    If you choose not to permanently delete the instance, the instance and data are still deleted at the end of the 7 day reclamation period.

  3. Optional: Permanently delete the reclamation instance.

    ibmcloud resource reclamation-delete <reclamationId>

    If you permanently delete the instance, you cannot restore your data.

Restoring a deleted instance

If you didn't permanently delete your instance, you can restore it during the reclamation period.

  1. Get the reclamation ID.

    ibmcloud resource reclamations --resource-instance-id <tenantID>

  2. Restore the reclamation.

    ibmcloud resource reclamation-restore <reclamationID>