IBM Cloud Docs
IBM® Key Protect and encryption keys

IBM® Key Protect and encryption keys

The IBM® Key Protect for IBM Cloud® (IBM Key Protect) service helps you provision and store encrypted keys for applications across IBM Cloud services, so you can see and manage data encryption and the entire key lifecycle from one central location.

With customer-managed encryption, you can bring your own custom root key (CRK) to the cloud or have a key management service (KMS) generate a key for you. You use root keys to encrypt resources across regions. You can encrypt resources with a key that is stored in your regional KMS instance, and you can use root keys from another region.

IBM Key Protect instances for your IBM Spectrum LSF cluster

Use an IBM Key Protect instance regardless of whether you have the IBM Spectrum LSF cluster deployment process create one for you or integrate an existing one.

Creating an IBM Key Protect instance and key

Automatically encrypt infrastructure resources through IBM Key Protect for your IBM Spectrum LSF cluster. To enable this feature for your cluster, always keep the enable_customer_managed_encryption deployment input value as true. The deployment process creates an IBM Key Protect instance and a specific key to encrypt these resources:

  • IBM® Cloud Block Storage for Virtual Private Cloud (Cloud Block Storage)
  • IBM Cloud® File Storage for VPC
  • IBM Cloud® Object Storage

If the value for enable_customer_managed_encryption is set as false, then the deployment process does not automatically create IBM Key Protect instances or keys and all infrastructure resources are encrypted through provider-managed encryption.

Integrating an existing IBM Key Protect instance and key

If you have an existing IBM Key Protect instance and an encryption key, set the enable_customer_managed_encryption deployment input value as true and then provide the instance ID for the kms_instance_id and the encryption key name for the kms_key_name deployment input variables instead. This way, the deployment process uses these values to encrypt all infrastructure resources for your IBM Spectrum LSF cluster. If you are providing existing IBM Key Protect instance, then the user should create the required authorisation policy for this instance.