Encrypting a bucket with Key Protect
While all data stored in Cloud Object Storage is automatically encrypted using randomly generated keys, some workloads require that the keys can be rotated, deleted, or otherwise controlled by a key management system (KMS) like Key Protect.
Before you begin
Before you plan on using Key Protect with Cloud Object Storage buckets, you need:
You will also need to ensure that a service instance is created by using the IBM Cloud catalog and appropriate permissions are granted. This tutorial does not outline the step-by-step instructions to help you get started. This information is found in section Server-Side Encryption with IBM Key Protect (SSE-KP)
Create a new encryption key
- Using the Navigation Menu, go to Resource List and expand Security.
- Click a Key Protect instance.
- Click the Add button.
- Click the Root key tab.
- Enter a Key name.
- Click Advanced Option and enter a Key description.
- Click the Add key button. Your new encryption key is listed in the Keys table.
Create a new bucket and associate the key with it
- Using the Navigation Menu, go to Resource List and expand Storage.
- Click your Storage instance.
- Click Create bucket.
- Click Create in the Create a Custom Bucket pane.
- Enter a unique bucket name.
- Select Resiliency>Regional.
- Select a Location.
- Select a Storage Class.
- Enable Service integrations>Encryption>Key management.
- Click Key Protect>Use existing instance.
- Select the Search by instance tab in the Key Protect integration side panel.
- Select a Key Protect instance from the menu.
- Select the Key name that you just created.
- Click the Associate key button.
- Click the Create bucket button. A popup message displays that a bucket was created successfully.
- Confirm by clicking the Configuration tab.
- Click Jump to>Key management (or scroll down the page).
- In the Associated key management services box see Service instance and the Key that was associated with the bucket.