Protecting your data with envelope encryption - Standard Plan
Envelope encryption is the practice of encrypting data with a data encryption key (DEK)A cryptographic key used to encrypt data that is stored in an application. and then wrapping the DEK with a root keyA symmetric wrapping key that is used for encrypting and decrypting other keys that are stored in a data service. that you can fully manage. The root keys in Hyper Protect Crypto Services service instance are also wrapped and protected by the hardware security module (HSM) master keyAn encryption key that is used to protect a crypto unit. The master key provides full control of the hardware security module and ownership of the root of trust that encrypts the chain keys, including the root key and standard key..
With envelope encryption, Hyper Protect Crypto Services protects your at-rest data with advanced encryption and offers the following benefits:
| Benefit | Description |
|---|---|
| Customer-managed encryption keys | With the service, you can provision root keys to protect the security of your encrypted data in the cloud. Root keys serve as key-wrapping keys, which help you manage and safeguard the data encryption keys (DEKs) provisioned in IBM Cloud data services. You decide whether to import your existing root keys, or have Hyper Protect Crypto Services generate root keys on your behalf. |
| Confidentiality and integrity protection | Hyper Protect Crypto Services uses the Advanced Encryption Standard (AES) algorithm in Cipher Blocker Chaining (CBC) mode to create and protect keys. When you create keys in the service, Hyper Protect Crypto Services generates them in the Hyper Protect Crypto Services instance and the master key encrypts the keys to ensure only you have the access. |
| Cryptographic shredding of data | If your organization detects a security issue, or your application no longer needs a set of data, you can choose to shred the data permanently from the cloud. When you delete a root key that protects other DEKs, you ensure that the keys' associated data can no longer be accessed or decrypted. |
| Delegated user access control | By assigning Cloud Identity and Access Management (IAM) roles, Hyper Protect Crypto Services supports a centralized access control system to enable granular access for your keys. For more information, see Granting access to keys. |
Keys in envelope encryption
The following keys are used in envelope encryption for the advanced encryption and management of data.
- Master keys
- Master keys, also known as HSM master keys, are encryption keys that are used to protect the Hyper Protect Crypto Services instances. The master key provides full control of the hardware security module and ownership of the root of trust that encrypts the entire hierarchy of keys, including root keys and standard keys.
- Root keys
- Root keys, also known as customer root keys (CRKs), are primary resources in Hyper Protect Crypto Services. They are symmetric key-wrapping keys that are used as roots of trust for wrapping (encrypting) and unwrapping (decrypting) other keys that are stored in a data service. With Hyper Protect Crypto Services, you can create, store, and manage the lifecycle of root keys to achieve full control of other keys stored in the cloud.
- Data encryption keys
- Data encryption keys (DEKs) are cryptographic keys that you use for data encryption. They are provided by user-owned applications and are used to encrypt data stored in applications. Root keys that are managed in Hyper Protect Crypto Services serve as wrapping keys to protect DEKs.
After you create a key in Hyper Protect Crypto Services, the system returns a key ID that is used to uniquely identify the key resource. You can use this ID value to make API calls to the service.
How it works
Envelope encryption combines the strength of multiple encryption algorithms to protect your sensitive data in the cloud. It works by wrapping one or more data encryption keys (DEKs) with advanced encryption by using a root key that you can fully manage. This key wrapping process creates wrapped DEKs that protect your stored data from unauthorized access or exposure. Unwrapping a DEK reverses the envelope encryption process by using the same root key, resulting in decrypted and authenticated data.
Root keys that are managed in a Hyper Protect Crypto Services service instance are also encrypted by the master key that ensures you full control of the entire key hierarchy.
The following diagram shows a contextual view of envelope encryption.
Envelope encryption is treated briefly in the NIST Special Publication 800-57, Recommendation for Key Management. To learn more, see NIST SP 800-57 Pt. 1 Rev. 4
Wrapping keys
Root keys help you group, manage, and protect data encryption keys (DEKs) stored in the cloud. You can wrap one or more DEKs with advanced encryption by designating a root key in Hyper Protect Crypto Services that you can fully manage.
After you designate a root key in Hyper Protect Crypto Services, you can send a key wrap request to the service by using the Hyper Protect Crypto Services key management service API. The key wrap operation provides both confidentiality and integrity protection for a DEK.
The following diagram shows the key wrapping process in action.
Unwrapping keys
Unwrapping a data encryption key (DEK) decrypts and authenticates the contents within the key, returning the original key material to your data service.
If your business application needs to access the contents of your wrapped DEKs, you can use the Hyper Protect Crypto Services key management service API to send an
unwrap request to the service. To unwrap a DEK, you specify the ID value of the root key and the ciphertext value returned during the initial wrap request.
The following diagram shows key unwrapping in action.
After you send the unwrap request, the system reverses the key wrapping process by using the same AES algorithms. A successful unwrap operation returns the base64 encoded plaintext value to your IBM Cloud data at rest service.
What's next
Hyper Protect Crypto Services supports the integration with other services. With envelope encryption, Hyper Protect Crypto Services provides advanced protection to your data stored in the integrated services.
- For the full list of supported services for integration, see Integrating services.
- For how to create a root key for envelope encryption, see Creating root keys.
- For how to bring your own root keys for envelope encryption, see Importing root keys.