Release notes for Key Protect

01 January 2025

Key Protect announces the availability of a new Cross-region resliency pricing plan. Users who want the enhanced cross regional resliency of this plan can either create a new instance using this plan or switch existing instances to this plan. For more information, check out Pricing for Key Protect on IBM Cloud.

Additionally, the pricing plan formerly known as "Key version pricing" has been renamed "Standard", and does not have enhanced cross regional resiliency. Also, the five free key versions per account has been discontinued.

01 July 2024

Key Protect announces the availability of:

• The ability to manage key management interoperability protocol (KMIP) adapters using Terraform
• The ability to list kmip_adapters associated with a specific crk_id using the API, CLI, and SDK.
• The ability to force delete a kmip_object using the API.

23 April 2024

Key Protect announces native support in the UI, CLI, SDK, and API for key management interoperability protocol (KMIP) adapters, an alternative to the KMIP for VMWare solution offering on IBM Cloud.

13 February 2024

Key Protect announces that adding a key description is now available as an option in the control plane (UI).

Key Protect also announces the ability to access private endpoints using the Key Protect control plane UI, allowing users to create and manage keys for instances using a private endpoint (for example, in a Satellite location). Similarly, keys created using the CLI or the SDK or related method can now be seen and updated using the UI.

15 December 2023

Key Protect announces that IBM® Key Protect for IBM Cloud® on Satellite is now available in the IBM Cloud eu-de Multi-Zone Region (MZR). Previously, only the us-east region was available.

For more information about IBM® Key Protect for IBM Cloud® on Satellite, check out About IBM® Key Protect for IBM Cloud® on Satellite.

9 November 2023

Key Protect announces the availability of:

• The ability to add a description to a key using Terraform.
• The ability to force delete a key ring using the API, Terraform, and the CLI.

15 September 2023

Key Protect announces that it is now live in the Madrid MZR. For more information about the regions in which Key Protect is available, check out Regions and endpoints.

12 September 2023

Key Protect announces the availability of the ability to add a description to a key using the CLI.

30 August 2023

Because Key Protect does not allow instances that have keys in them to be deleted, it is required that any keys in an instance be deleted before the instance itself can be deleted. However, because of the "soft" deletion of keys, it is possible that a user might delete a key and then soon after delete an instance. This deletion of the instance also permanently deletes the key, even if the deletion of the key is recent enough to have made it eligible to be restored.

For this reason, Key Protect now supports the reclamation of instances for a short time after they have been deleted. To see if your instance can be reclaimed, check out Listing reclaimed resources by using the CLI. For the commands on reclaiming the resource (the instance in this case), check out Restoring a resource by using the CLI.

For more information about restoring keys, check out Restoring keys.

27 June 2023

The 0.8.0 version of the Key Protect CLI is now available. This version includes support for counting the number of key versions regardless of whether the key is in an active state. Also, this version of the CLI includes native support for Macs that use an Apple Silicon processor. Previously, users received a warning during the installation of the Key Protect CLI plugin.

24 May 2023

Key Protect announces a new integration with Power Virtual Server for AIX and Linux.

The integration with AIX allows you to use Power Virtual Server to leverage AIX file systems with the keysvrmgr and hdcryptmgr command. For more information, check out Using Hyper Protect Crypto Services (HPCS) and Key Protect for AIX.

The Power Virtual Server for Linux integration prevents Linux Unified Key Setup (LUKS) encryption keys from being compromised using Key Protect as a single point of control to enable or disable access to data across the enterprise. This is done by successively wrapping encryption keys, with the ultimate control being a master key that resides in a hardware security module (HSM). For more information, check out Using Hyper Protect Crypto Services (HPCS) or Key Protect for Linux and Protect LUKS encryption keys with IBM Cloud Hyper Protect Crypto Services and Key Protect.

14 April 2023

The IBM® Key Protect for IBM Cloud® on Satellite Pricing plan is now active. Unlike the pricing for Key Protect on IBM Cloud, the pricing for Key Protect on Satellite is not based on key versions. Instead, reflecting the different use cases and infrastructure maintenance requirements for Satellite-based deployments, users are charged a flat rate for each location where they want Key Protect installed and then an additional rate depending on the quota of keys they select at deployment time.

For more information about IBM® Key Protect for IBM Cloud® on Satellite, check out About IBM® Key Protect for IBM Cloud® on Satellite.

24 March 2023

The price per key version in IBM Cloud has risen 4.5% in staging, an increase from USD1 to USD1.045. This price increases in production on April 1, 2023 and applies to all new and existing key versions. For more information, check out Pricing.

3 February 2023

IBM® Key Protect for IBM Cloud® announces ability to view number of key versions for keys in all states

Previously, the List key versions API endpoint would return an HTTP 409 if a key was not in an Active (1) state. When a new parameter, allKeyStates, is passed as true, it returns the number of versions of a key even if the key is no longer active. Similarly, an HTTP 410 used to be returned for keys in a Destroyed (5) state. Now, if allKeyStates is passed as true, the number of versions of the destroyed key is returned.

For more information, check out Viewing key versions.

2 December 2022

IBM® Key Protect for IBM Cloud® announces new features for the Terraform plugin as part of v1.48.0

New features include support of instance policies (for example, to set a default key rotation period), the ability to create a key and override any instance rotation policies that might exist, and the ability to enable or disable a rotation policy on a key. Also, a known bug with the endpoint URL was fixed via the environment variable.

14 October 2022

IBM® Key Protect for IBM Cloud® announces new features for the CLI Plugin

New features include support for creating instance rotation policies using the UI and the CLI as well as the ability to enable and disable rotation policies for an individual key at key creation time using the UI and the CLI. Also, the latest release includes enhanced filtering for keys the UI and the CLI.

7 October 2022

IBM® Key Protect for IBM Cloud® announces new features for the API

A new Create Key with Policy Overrides method and filter parameter used in the GET keys method highlight the ease of setting security policies on user-specified targets. In addition, you can now set instance policies on multiple options, like authorizing dual deletion and rotation, with the ability to enable and disable specific policies.

24 August 2022

IBM® Key Protect for IBM Cloud® announces a new release of the CLI plugin

The new version supersedes the old version and upgrading your installation is recommended. New features include support for the new search parameter to filter the list of keys returned from the keys command and support also for the new sort parameters to order the list of keys returned from the keys command.

22 June 2022

IBM® Key Protect for IBM Cloud® announces new features

Added support for sorting a list of keys returned by the service based on one or more key properties. Sorting keys will first be available in the API. For more information, see the parameter for sorting keys using the GET /keys method from the API.

25 May 2022

IBM® Key Protect for IBM Cloud® announces new features

Added support for searching a list of keys returned by the service, limiting the number of keys returned. Searching keys will first be available in the UI as well as from the API. For more information, see Viewing keys in the console.

08 March 2022

IBM® Key Protect for IBM Cloud® announces new enhancements

Added support for querying the total count of versions of a key using the Key Protect API. And as part of a continuing program of improvement to the Key Protect API, key aliases are now supported as key identifiers in place of key IDs in addition to Retrieving a key. Multiple API methods, like POST, PATCH, and DELETE, and features like key purge, and key restore now include this enhancement. As an enhancement to the Key Protect Key Ring API, optional query parameters have been added to the listing of key rings to support pagination.

15 December 2021

IBM® Key Protect for IBM Cloud® announces new IBM Cloud Satellite support

IBM® Key Protect for IBM Cloud® now supports IBM Cloud Satellite where you use your own compute infrastructure that is in your on-premises data center, other cloud providers, or edge networks to more fully control your own encryption keys by creating your own instance of Key Protect.

• For more information, check out About Key Protect on Satellite.

15 September 2021

Key Protect announces new deprecations

This announcement begins the deprecation of creating policies using the ibm_kms_key resource used with IBM Cloud® Provider Plug-in for Terraform. While migrating your code to use the new Key Policies, please refrain from using the existing resource unless setting the Lifecycle "ignore" policies block. As part of continued migration and improvement, the algorithmBitSize, algorithmMode, algorithmType and algorithmMetadata fields will no longer be operational within the Key Protect API.

08 September 2021

Announcing Key Protect support for IBM Cloud® Provider Plug-in for Terraform enhancements

IBM Cloud® Provider Plug-in for Terraform now supports creating and retrieving Key Policies when creating and retrieving keys through IBM Cloud Provider Plug-in for Terraform as a separate resource.

04 September 2021

Announcing Key Protect CLI plug-in v.0.6.5

The release of Key Protect CLI version 0.6.5 introduces new structures for empty results when querying. Learn more at the CLI reference.

05 August 2021

Announcing Key Protect support for key purge enhancements

The ability to purge keys that have been deleted after four hours using the UI has been added. For more information, check out About purging and deleting keys. Also, the ability to view your instance ID and cloud resource name (CRN) has been made easier. For more information, check out Retrieving your instance ID and cloud resource name (CRN).

30 June 2021

Announcing Key Protect CLI plug-in v.0.6.3

The Key Protect CLI plugin has been updated to version 0.6.3. Minor changes in this release include support for IBM Cloud® Hyper Protect Crypto Services specific algorithms in Key Create and Key Rotate.

22 April 2021

Key Protect announces changes to the console

Many of the panels and actions you can take in the console have been modified to accommodate the addition of key rings and add other functionality to the console that previously was only possible using the APIs. This includes a new Key rings panel where key rings can be managed and a Key ring ID column in the Keys panel.

• Note that as part of this change, the Instance policies and Manage keys panels in the console have been renamed Instance policies and Keys respectively.
• This release also adds the ability to use the API to purge keys four hours after they have been moved to the Destroyed state. For more information, check out About deleting and purging keys.
• The ability to purge keys using the UI was added in the August, 2021 release.

12 March 2021

Key Protect supports key transfers in key rings

You can now use the Key Protect API to transfer a key from one key ring to another key ring. In order to move a key, you must have Manager IAM access permissions to both the key and the target key ring, which is the key ring that you would like the key to be transferred to. To find out more, see Grouping keys. Also, support for aliases and key-rings brings best practices to using the Key Protect CLI plug-in. Learn more about all of the new features in the CLI changelog.

25 February 2021

The process to restore keys has been enhanced

Deleted keys can now be restored up to 30 days after deletion. After 30 days, it is no longer possible to restore a key. Any and all types of keys (standard or root, imported or created) can be restored. It is no longer required to pass in key material when restoring a key. For more information, check out Restoring keys. Rotating keys and re-wrapping encrypted content with a new DEK is fundamental to security. Quickly retrieve keys having extractable content with this search feature.

15 February 2021

Key Protect announces UI enhancements

Managing keys through the UI interface has been enhanced with new options presented in a simple and convenient selectable option menu within the context of each managed key. Simply click on the "overflow" icon (⋯) at the end of each row to access common features and UI enhancements.

• Note that "Associated Resources" are now accessible within the context of each key in the console, as well as having its own item in the menu. Also, setting a key's rotation policy is now possible in the same panel where a key can be manually rotated.
• Also, the list of endpoints in the console has grown with the addition of Osaka. You can now update your applications to reference the new endpoint.

Key Protect supports additional UI features

Now, users can Wrap and Unwrap active root keys to provide envelope encryption. For more information, see Protecting data with envelope encryption for an overview.

15 March 2021

Key Protect supports key purge

Beginning in April 2021, Key Protect will implement a key purge feature that will automatically purge any keys that have been deleted for more than 90 days. A purged key and its associated data will be permanently removed, or hard deleted, from the Key Protect database. When a user or service deletes a key in Key Protect today, if the key is not restored within 30 days, the key is soft deleted. All key data, except key material data, remains in Key Protect, and those details are retrievable by List Keys, Get Key and other APIs. Once automatic key purge is introduced, users will not be able to retrieve any information regarding a purged key. Any API calls that use the Key ID of a purged key will result in a 404 HTTP Not Found error.

• Note: A key purge can be reversed by restoring the hard deleted key.
• How will the changes impact my environment? The majority of users will not notice an impact. Please note that any data related to a purged key (key metadata, registrations, policies, etc) will no longer be available via the Key Protect service. If you are required to retain any data related to a purged key (key metadata, registrations, policies, etc) for an extended period of time, it is recommended to perform the necessary API or CLI calls to retrieve and store that data in your own storage device.

05 February 2021

Key Protect supports new UI actions

If you have Manager access permissions, you can filter for keys in the Destroyed state and restore an imported root key via the ⋯ icon on the Keys table. You can use the restore key side panel to complete the process for restoring the key. For more information, see Restoring a deleted key with the console.

Key Protect supports private networks

You can now connect to Key Protect from your virtual private cloud (VPC) via a virtual private endpoint (VPE). VPEs are bound to a VPE gateway and serve as an intermediary that enables your workload to interact with Key Protect.

• To get started, provision a Virtual Private Cloud and create a VPE gateway. For more information, see Using private endpoints.

27 January 2021

Key Protect supports key rings

You can now use the Key Protect REST API to manage access to a specific set of keys that are bundle a collection called a key ring. You can manage and restrict access to key rings to via IAM policies. To find out more, see Grouping keys.

06 January 2021

Restore key process is now improved

If you have Manager access permissions, you can now use the the Key Protect UI to restore all unexpired-deleted keys. For more information, see Restoring keys. You can now use the Key Protect REST API to initiate a manual data synchronization request to to synchronize your service's key records with what is in Key Protect's database records. For more information, see Sync associated resources.

This API is available only for users if a cloud service has enabled the key registiation feature as part of its integration with Key Protect. To learn if an integrated service supports key registration, refer to its service documentation for more information.

11 December 2020

Key Protect supports operational metrics

If you have Manager IAM access permissions, you can now use the Key Protect UI to create a metrics policy that allows you to view the operational metrics for your Key Protect instance. To find out more, see Managing metrics.

01 December 2020

Announcing support for key aliases

If you have Writer or Manager access permissions, you can now use the Key Protect REST API to create a key alias. You can use a key alias to refer to a key in your Key Protect service instance. To find out more, see Creating key aliases.

20 October 2020

Announcing Quantum Safe Cryptography

In preparation for the post-quantum era, you can use a quantum safe enabled TLS connection to secure your communication to the IBM® Key Protect for IBM Cloud® service. To find out more, see Using Quantum Safe Cryptography.

12 October 2020

Key Protect adds access policy UI support

You can set a key creation and importation policy, in the user interface (UI), to restrict how keys are created and imported into your Key Protect service instance. See the updated "Instance policies" pane in the Key Protect UI.

17 September 2020

Key Protect adds access policy API support

You can set a key creation and importation policy, using the API, to restrict how keys are created and imported into your Key Protect service instance. To find out more, see Managing a key create and import access policy.

22 September 2020

Updates to the Key Protect UI

The Key Protect UI now has support for the following feature:

• List keys by key state: You can now use the Key Protect UI to filter and retrieve keys that are in a specified state. For more information, see Viewing keys in the console.
• If you have Manager access permissions, you can filter for keys in the Destroyed state and restore an imported root key via the ⋯ icon on the Keys table. Note: you must include the original Key Material to restore the key.

09 September 2020

Announcing Key Protect CLI plug-in v.0.5.2

The Key Protect CLI plug-in version 0.5.2 was updated with these changes:

• Commands that specify JSON outout (--output json) now return an empty JSON structure if there is no output. The CLI changelog has all CLI updates.

21 July 2020

Announcing Key Protect CLI plug-in v.0.5.1

The Key Protect CLI plug-in is used to manage keys in your instance. To install the Key Protect CLI plug-in, see setting up the CLI. For a detailed explanation of changes in version 0.5.1, see the CLI changelog.

24 June 2020

Updates to the Key Protect UI

The Key Protect UI now has support for the following features:

• Enable/disable key: If you have Manager access permissions, you can now use the Key Protect UI to suspend or restore a key's encrypt and decrypt operations. For more information, see Disabling root keys
• Restore key: If you have Manager access permissions, you can now use the the Key Protect UI to restore a previously imported root key that was deleted. For more information, see Restoring keys.
• Set an instance level dual authorization policy: You can now use the Key Protect UI to require two users to safely delete a key from your Key Protect instance. For more information, see Enabling a dual authorization policy for an instance.
• Set an instance level network policy: You can now use the Key Protect UI to restrict requests to public or private networks. For more information, see Managing Network Access Policies.

19 June 2020

Announcing Key Protect CLI plug-in v.0.5.0

The Key Protect CLI plug-in is used to manage keys in your instance. To install the Key Protect CLI plug-in, see setting up the CLI. For a detailed explanation of changes in version 0.5.0, see the CLI changelog.

29 May 2020

Announcing new IBM Cloud Activity Tracker event field support

Beginning in late May 2020, Key Protect will return updated event fields in IBM Cloud Activity Tracker logs. These updates will be available across all supported regions by 29 May 2020.

• Successful replace registration, update registration, and unwrap key events will change from severity level warning to normal.
• The rewrapedKeyVersionId field will change to rewrappedKeyVersionId.
• The TotalResources field will change to totalResources.
• Why are we making these changes? These changes are required to remove deprecated event fields and support upcoming service enhancements for IBM Cloud Activity Tracker.
• How will the changes impact my environment? This change impacts the event fields that are returned in IBM Cloud Activity Tracker audit logs when you perform Key Protect actions. The change does not impact Key Protect operations. As a security or compliance admin, ensure that the removed and changed event fields do not affect your audit operations.

01 May 2020

Announcing new permissions for existing roles

If you have Writer or Manager access permissions, you can now use the Key Protect REST API to rotate an root key that was initially imported with an import token. To find out more, see Using an import token to rotate a key. If you have Manager access permissions, you can now use the the Key Protect REST API to restore a previously imported root key. To find out more, see Restoring keys. If you have Manager access permissions, you can now use the the Key Protect REST API to suspend or restore a keys encrypt and decrypt operations. To find out more, see Disabling keys.

16 April 2020

Announcing network access policies

You can set a network access policy to allow API requests to a Key Protect instance from public or private networks. To find out more, see Managing network access policies.

14 March 2020

Announcing support for key metadata and key versions

If you have Reader access permissions, you can now use the Key Protect REST API to view only details about a specific standard key without retrieving the key itself. To find out more, see Viewing details about a key. You can now audit the rotation history of a root key by viewing its key versions. After you rotate a root key, the ID of the root key does not change, but Key Protect now returns key version information to help you determine which version of the root key is protecting your data. To find out more, see Viewing key versions.

28 February 2020

Beginning in April 2020, Key Protect will return updated event fields

These updates will be available in IBM Cloud Activity Tracker logs across all supported regions by 15 April 2020. This change impacts the following IBM Cloud Activity Tracker event fields. Affected event fields include removed event fields, such as meta, observer.typeURI, requestHeader, requestPath, responseBody, type, and typeURI. The eventTime field will change from format 2020-02-03T20:20:37+0000 to 2020-02-03T20:20:37Z. The target.name field is currently set to Key Protect. This value will change to the name of the resource on which the operation was performed. For example, the name of the encryption key, or the name of your Key Protect instance. New event fields include requestData and responseData.

• Why are we making these changes? These changes are required to remove deprecated event fields and support upcoming service enhancements for IBM Cloud Activity Tracker.
• How will the changes impact my environment? This change impacts the event fields that are returned in IBM Cloud Activity Tracker audit logs when you perform Key Protect actions. The change does not impact Key Protect operations. As a security or compliance admin, ensure that the removed and changed event fields do not affect your audit operations.

25 February 2020

Support for integrated services and resources

You can now use Key Protect REST APIs to examine which root keys are actively protecting what data so that you can evaluate exposures based on your organization's security or compliance needs. For more information, see View associations between root keys and IBM Cloud resources. This extra feature is available only if a cloud service has enabled it as part of its integration with Key Protect. To learn if an integrated service supports key registration, refer to its service documentation for more information. Also, Key Protect enabled extra security measures to protect against the accidental or malicious deletion of keys.

• Key Protect now blocks the deletion of a root key that's actively protecting a cloud resource. To learn if a key is registered to cloud resource, you can review the resources that are associated with the key.
• You can now force deletion on a key that's protecting a cloud resource.

17 February 2020

Key Protect announces additional roles

Need to grant read-only access to keys? You can now choose between the Reader and ReaderPlus IAM roles for better control over access to key material. To learn more about service access roles, see Managing user access.

15 January 2020

Key Protect announces new dual authorization policies

You can now enable dual authorization policies to safely delete keys from your Key Protect instance. When you enable dual authorization, you require an action from two users to delete a key.

• To learn how to enable dual authorization, see Using dual authorization policies for the deletion of keys.

04 November 2019

Added:

Key Protect is updating its user access roles and how they correspond to Key Protect service actions. Effective 13 November 2019, Key Protect will update access roles accordingly:

• Create keys service action has current role assignments: Administrator, Editor, Writer, Manager; will have new Writer, Manager role or roles.
• Retrieve a key by ID service action has current role assignments: Administrator, Editor, Writer, Manager; will have new Writer, Manager role or roles.
• Retrieve a list of keys service action has current role assignments: Administrator, Editor, Writer, Manager, Viewer, Reader; will have new Reader, Writer, Manager role or roles.
• Wrap keys service action has current role assignments: Administrator, Editor, Writer, Manager, Viewer, Reader; will have new Reader, Writer, Manager role or roles.
• Unwrap keys service action has current role assignments: Administrator, Editor, Writer, Manager, Viewer, Reader; will have new Reader, Writer, Manager role or roles.
• Rewrap keys service action has current role assignments: Administrator, Editor, Writer, Manager, Viewer, Reader; will have new Reader, Writer, Manager role or roles.
• Rotate keys service action has current role assignments: Administrator, Editor, Writer, Manager; will have new Writer, Manager role or roles.
• Set rotation policies service action has current role assignments: Administrator, Manager; will have new Manager role or roles.
• Retrieve rotation policies service action has current role assignments: Administrator, Manager; will have new Manager role or roles.
• Delete a key by ID service action has current role assignments: Administrator, Manager; will have new Manager role or roles.

As an account owner or admin, review the existing access policies for all Key Protect users in your account to ensure that they are assigned the appropriate levels of access. To learn more about Key Protect roles and permissions, see Managing user access.

27 September 2019

Key Protect supports fine-grain access

As an account admin, you can now assign fine-grained access to individual keys within a Key Protect instance. To learn more about granting access, see Granting access to keys.

16 September 2019

Transport keys deprecated, replaced with import tokens

On 20 March 2019, Key Protect announced transport keys as a beta feature for importing encryption keys to the cloud with an extra layer of security. We're happy to announce that the feature has now reached its end of beta period. The following API methods have changed:

• POST api/v2/lockers is now POST api/v2/import_token
• GET api/v2/lockers is now GET api/v2/import_token
• GET api/v2/lockers/{id} is no longer supported

You can now create import tokens to enable added security for keys that you upload to Key Protect.

To find out more about your options for importing keys, check out Bringing your encryption keys to the cloud. For a guided tutorial, see Tutorial: Creating and importing encryption keys.

31 July 2019

Announcing private endpoint support

You can now connect to Key Protect over the IBM Cloud private network by targeting a private endpoint for the service.

• To get started, enable virtual routing and forwarding (VRF) and service endpoints for your infrastructure account. For more information, see Using private endpoints.

22 June 2019

Announcing IBM Cloud Activity Tracker integration

You can now monitor API calls to the Key Protect service by using IBM Cloud Activity Tracker. To learn more about monitoring Key Protect activity, see IBM Cloud Activity Tracker events.

22 May 2019

Key Protect now uses IBM Cloud Hardware Security Module 7.0 for cryptographic storage and operations

Your Key Protect keys are stored in FIPS 140-2 Level 3-compliant, tamper-evident hardware for all regions. To learn more about the features and benefits of IBM Cloud HSM 7.0, check out the product page.

15 May 2019

The legacy Key Protect service, based on Cloud Foundry, reached its end of support on 15 May 2019. : Cloud Foundry-managed Key Protect instances are no longer supported and updates to the legacy service will no longer be provided. Customers are encouraged to use Key Protect instances that are IAM-managed to benefit from the latest features for the service. If you created your Key Protect instance after 15 December 2017, your instance is IAM-managed and it is not affected by this change.

• Need to remove a Key Protect service instance from the Cloud Foundry Services section of your IBM Cloud resource list? You can reach out to us in the Support Center by submitting a request to remove the entry from your console view.

22 March 2019

Announcing rotation policies for root keys

You can now use Key Protect to associate a rotation policy for your root keys. For more information, see Setting a rotation policy. To find out more about your key rotation options in Key Protect, check out Comparing your key rotation options.

20 March 2019

Announcing secure import of encryption keys

Enable the secure import of encryption keys to the cloud by creating transport encryption keys for your Key Protect service. For more information, see Bringing your encryption keys to the cloud.

13 February 2019

Key Protect deprecates Cloud Foundry instances:

Key Protect instances that were provisioned before 15 December 2017 are running on a legacy infrastructure that is based on Cloud Foundry. This legacy Key Protect service will be decommissioned on 15 May 2019. If you have active production keys in an older Key Protect instance, ensure that you migrate the keys to a new instance by 15 May 2019 to avoid losing access to your encrypted data. You can check to see whether you're using a legacy instance by navigating to your resource list from the IBM Cloud console. If your Key Protect instance is listed in the Cloud Foundry Services section of the IBM Cloud resource list, or if you're using a bluemix.net API endpoint to target operations for the service, you're using a legacy instance of the Key Protect. After 15 May 2019, the legacy endpoint will no longer be accessible, and you won't be able to target the service for operations.

Need help with migrating your encryption keys into a new Key Protect instance? For detailed steps, check out the migration client in GitHub.

19 December 2018

Key Protect has updated endpoints:

To align with IBM Cloud's new unified experience, Key Protect has updated the base URLs for its service APIs. You can now update your applications to reference the new cloud.ibm.com endpoints.

• keyprotect.us-south.bluemix.net is now us-south.kms.cloud.ibm.com
• keyprotect.us-east.bluemix.net is now us-east.kms.cloud.ibm.com
• keyprotect.eu-gb.bluemix.net is now eu-gb.kms.cloud.ibm.com
• keyprotect.eu-de.bluemix.net is now eu-de.kms.cloud.ibm.com
• keyprotect.au-syd.bluemix.net is now au-syd.kms.cloud.ibm.com
• keyprotect.jp-tok.bluemix.net is now jp-tok.kms.cloud.ibm.com

Both URLs for each regional service endpoint are supported at this time.

31 October 2018

Key Protect adds new regional support

You can now create Key Protect resources in the Tokyo region. For more information, see Regions and locations.

02 October 2018

Announcing the new Key Protect CLI plug-in

You can now use the Key Protect CLI plug-in to manage keys in your Key Protect service instance. To learn how to install the plug-in, see Setting up the CLI. To find out more about the Key Protect CLI, check out the CLI reference doc.

28 September 2018

Key Protect adds new key rotation feature

You can now use the Key Protect to rotate your root keys on-demand. For more information, see Rotating keys.

14 September 2018

Key Protect adds new sample application

Looking for code samples to help you encrypt storage bucket content with your own encryption keys? You can now practice adding end to end security for your cloud application by following the new tutorial. For more information, see check out the sample app in GitHub.

10 September 2018

Key Protect adds new regional support

You can now create Key Protect resources in the Washington DC region. For more information, see Regions and locations.

28 August 2018

The Key Protect API Reference has moved

You can now access the API documentation at IBM Cloud API Docs for Key Protect.

21 March 2018

Key Protect adds new regional support

You can now create Key Protect resources in the Frankfurt region. For more information, see Regions and locations.

31 January 2018

Key Protect adds new regional support

You can now create Key Protect resources in the Sydney region. For more information, see Regions and locations.

15 December 2017

Key Protect now supports Bring Your Own Key (BYOK) and customer-managed encryption

Introducing root keys, also called Customer Root Keys (CRKs), as primary resources in the service. This enables envelope encryption for IBM Cloud Object Storage buckets. With this change, Key Protect is now available in the London region. For more information, see Regions and locations. Also, Cloud Identity and Access Management roles, which determine the actions that you can perform on Key Protect resources, have changed.

• Administrator is now Manager
• Editor is now Writer
• Viewer is now Reader

For more information, see Managing user access.

19 September 2017

Introducing Key Protect

IBM® Key Protect for IBM Cloud® is a full-service encryption solution that allows data to be secured and stored in IBM Cloud using the latest envelope encryption techniques that leverage FIPS 140-2 Level 3 certified cloud-based hardware security modules. You can use Cloud Identity and Access Management to set and manage access policies for your Key Protect resources. For more information, see Managing user access.