IBM Cloud Docs
Managing encryption

Managing encryption

By default, customer data in Event Notifications are encrypted at-rest using a randomly generated key. Although this default encryption model provides at-rest security, you might need a higher level of control. For these use cases, Event Notifications supports customer-managed encryption with the following IBM Cloud® Key Management Services:

  • IBM® Key Protect for IBM Cloud® (Bring Your Own Key - BYOK) helps you provision encrypted keys for apps across IBM Cloud services. As you manage the lifecycle of your keys, you can benefit from knowing that your keys are secured by FIPS 140-2 Level 3 certified cloud-based hardware security modules (HSMs) that protect against the theft of information. You can find out more about using Key Protect in the Getting Started tutorial.
  • Hyper Protect Crypto Services (Keep Your Own Key - KYOK) is a single-tenant, dedicated HSM that is controlled by you. The service is built on FIPS 140-2 Level 4-certified hardware, the highest offered by any cloud provider in the industry. You can find out more about using Hyper Protect Crypto Services in the Getting Started tutorial.

These services allow the use of a customer-provided key to control encryption. By disabling or deleting this key, you can prevent any further access to the data stored by the service, because it is no longer possible to decrypt it.

Consider using customer-managed keys if you require the following features:

  • Encryption of data at-rest controlled by your own key.
  • Explicit control of the lifecycle of data stored at rest.

Customer-managed keys is available on the Standard plan only.

Deletion of the customer-managed key is non-recoverable and will result in the loss of any data stored in your Event Notifications instance.

What is not covered by customer-managed encryption

If customer-managed encryption feature is selected, the user should be aware that only customer data is covered by this encryption. Event Notifications encrypts at-rest other data related to the use of the service.

You are not recommended to use confidential information in client metadata.

How customer-managed encryption works

Event Notifications uses a concept called envelope encryption to implement customer-managed keys.

Envelope encryption is the practice of encrypting one encryption key with another encryption key. The key used to encrypt the actual data is known as a data encryption key (DEK). The DEK itself is never stored, but instead is wrapped by a second key known as the key encryption key (KEK) to create a wrapped DEK.

To decrypt data, the wrapped DEK must first be unwrapped to get the DEK. This process is possible only by accessing the KEK, which in this case is your root key stored in either Key Protect or Hyper Protect Crypto Services.

You own the KEK, which you create as a root key in the Hyper Protect Crypto Services or Key Protect service. The Event Notifications service never sees the root (KEK) key. Its storage, management, and use to wrap and unwrap the DEK is performed entirely within the key management service. If you disable or delete the key, the data can no longer be decrypted.

Enabling a customer-managed key for Event Notifications

Complete the following steps to provision your Event Notifications instance to use a customer-managed key:

  1. Provision an instance of Key Protect or Hyper Protect Crypto Services.

  2. Create an authorization policy to allow the Event Notifications service to access the key management service instance as a Reader. For more information, see Using authorizations to grant access between services.

  3. Create or import a root key into your key management service instance.

  4. Retrieve the Cloud Resource Name (CRN) of the key using the View CRN option in the key management service instance GUI.

  5. Provision an instance of Event Notifications. This feature is supported on the Standard plan only.

Using a customer-managed key

After a customer-managed key is enabled, the cluster operates as normal, but with the following additional capabilities:

Preventing access to data

To temporarily prevent access, you can disable your root key. As a consequence, Event Notifications can no longer access the data because it can no longer access the key.

To remove access permanently, you can delete the key. However, you must take extreme caution because this operation is non-recoverable. You will lose access to any data stored in your Event Notifications instance. There is no way to recover this data.

In both cases, the Event Notifications instance shuts down and no longer accepts or processes connections. An activity tracker event is generated to report the action. For more information, see Event Notifications events.

The authorization should remain in place between your Event Notifications and the key management service instance at all times. While removing this authorization prevents Event Notifications from future access to your data, already in-use data will continue to be available for a period of time.

You are charged for your instance of Event Notifications until you deprovision it using the IBM Cloud console or CLI. These charges are still applied even if you chose to prevent access to your data.

Restoring access to data

Access can be restored only if the key was not deleted. To restore access, re-enable your root key. After a short period of initialization, your Event Notifications instance is restarted and starts accepting connections again. All data is retained, subject to the normal retention limits configured in your instance.

An activity tracker event is generated to report the action. For more information, see Activity Tracker events.

Rotating the key

Key Protect and Hyper Protect Crypto Services support the rotation of root keys, either on demand or on a schedule. When this occurs, Event Notifications adopts the new key by rewrapping the DEK as described in how customer-managed encryption works.

An activity tracker event is generated to report the action. For more information, see Activity Tracker events.

Disabling customer-managed encryption

After enabling customer-managed encryption, it is not possible to disable it. Instead, you must delete the service instance and create a new instance.