Encrypting a bucket with Key Protect

Before you begin

Before you plan on using Key Protect with Cloud Object Storage buckets, you need:

• An IBM Cloud™ Platform account
• An instance of IBM Cloud Object Storage

You will also need to ensure that a service instance is created by using the IBM Cloud catalog and appropriate permissions are granted. This tutorial does not outline the step-by-step instructions to help you get started. This information is found in section Server-Side Encryption with IBM Key Protect (SSE-KP)

Create a bucket

When your key exists in Key Protect and you authorize a service for use with IBM COS, associate the key with a new bucket:

1. Navigate to your instance of Object Storage.
2. Click Create bucket.
3. Select Custom bucket.
4. Enter a bucket name, select the Regional resiliency, and choose a location and storage class.

You can choose to use Key Protect to manage encryption for a bucket only at the time of creation. It isn't possible to change an existing bucket to use Key Protect.

Choose KP encryption

1. Scroll down to Service integrations (optional), toggle Key management disabled to enable encryption key management and click on Create new instance.
2. Choose a region that corresponds with the bucket, give it a memorable name, and click Create and continue.
3. Give the root key a name and click Create and continue.
4. Verify the information is correct.
5. Click Create bucket.

If bucket creation fails with a 400 Bad Request error with the message The Key CRN could not be found, ensure that the CRN is correct and that the service to service authorization policy exists.

In the Buckets listing, the bucket has a View link under Attributes where you can verify that the bucket has a Key Protect key enabled.

Verify that it works

1. When viewing the bucket, click the Configuration tab to verify that the bucket has Key Protect enabled.
2. Scroll down to Advanced configurations and locate Associated key management service .
3. Verify the information is correct.ß