About Key Protect

IBM® Key Protect for IBM Cloud® is a full-service encryption solution that allows data to be secured and stored in IBM Cloud using the latest envelope encryption techniques that leverage FIPS 140-2 Level 3 certified cloud-based hardware security modules.

Sensitive data should not be stored on any cloud provider unencrypted (as "plaintext", in other words). But just as with any method of encryption, going back to the earliest known ciphertexts created thousands of years ago, it's important not just to encrypt information so that it cannot be decoded easily but to protect the ciphers used to encrypt and decrypt it (since having a cipher is as good as having the data).

The solution is a key management system like Key Protect, which keeps data secure by encrypting the data encryption keys (DEKs) that encrypt your plaintext data with root keys managed by IBM via an impenetrable HSM. In this kind of a system, known as "envelope encryption", the process of decrypting the data means first "unwrapping" the encrypted DEK (opening its envelope, in other words) and then using the DEK to decrypt the data.

For more information about envelope encryption works, check out Protecting data with envelope encryption.

Unsure which IBM Cloud security is right for your use case? Check out Which data security service is best for me? for more information.

What Key Protect offers

Bring your encryption keys to the cloud: Fully control and strengthen your key management practices by securely exporting symmetric keys from your internal key management infrastructure into IBM Cloud.
Robust security: Provision and store keys using FIPS 140-2 Level 3 certified hardware security modules (HSMs). Leverage IBM Cloud Identity and Access Management (IAM) roles to provide fine-grain access control to your keys. For more information, check out Understanding your responsibilities with using Key Protect.
Control and visibility: Use the IBM Cloud Monitoring service and IBM Cloud Activity Tracker to measure how users and applications interact with Key Protect. For more information, check out Monitoring operational metrics and Activity Tracker events.
Simplified billing: Track subscription and credit spending for all accounts from a single view. To learn more about keys, key versions, and pricing, check out Pricing.
Self-managed encryption: Create or import root and standard keys protect your data.
Flexibility: Apps on or outside IBM Cloud can integrate with the Key Protect APIs. Key Protect integrates easily with a variety of IBM database, storage, container, and ingestion services. For more information, check out Integrating services.
Built-in protection: Deleted keys, and their encrypted data, can never be recovered. Manage your user roles, key states, and set a rotation schedule that works for your use case using the UI, CLI, or API.
Application-independent: Generate, store, retrieve and manage keys independent of application logic.
Create and manage keys inside a Satellite location: Key Protect on Satellite allows you to deploy Key Protect into infrastructure that you own and manage.

Reasons to use Key Protect

Here are a few common scenarios that explain how Key Protect can be used to solve issues faced by businesses operating at scale in production.

Table 1. Reasons to use Key Protect in various scenarios.
Scenarios	Reasons
You need to create and manage encryption keys that are backed by FIPS 140-2 Level 3 validated hardware.	You can use **Key Protect to generate and import encryption keys by using a multi-tenant service with shared hardware.
You need to be able to create and manage keys in a Satellite location.	You can use Key Protect to create and manage keys in either IBM Cloud or in Satellite.
As an IT admin for a large corporation, you need to integrate, track, and rotate encryption keys for many different service offerings.	The Key Protect interface simplifies the management of multiple encryption services. With the service, you can manage and sort encryption keys in one centralized location, or you can separate keys by project and house them in different IBM Cloud spaces.
As a developer, you want to integrate your pre-existing applications, such as self-encrypting storage, to Key Protect.	Apps on or outside IBM Cloud can integrate with the Key Protect APIs. You can use your own existing keys for your apps and import them into Key Protect.
Your development team has stringent policies, and you need a way to generate and rotate keys.	With Key Protect, you can rapidly generate keys from an IBM Cloud hardware security module (HSM). When it's time to replace a key, whether it was created using Key Protect or imported, you can rotate the key on-demand or set a rotation policy for the key to meet your on-going security needs.
You are a security admin in an industry, such as finance or legal, that must adhere to governance over how data is protected. You need to grant controlled access of keys without compromising the data that it secures.	With the service, you can control user access to manage keys by assigning different IAM roles. For example, you can grant read-only access to users who need to view key creation information without viewing the key material. Similarly, users can be assigned the "Manager" role over only a single key, if needed.
You want to perform envelope encryption as you move data into the cloud. You need to bring your own master encryption keys, so you can manage and protect other keys that encrypt your data at rest.	With Key Protect, you can wrap (encrypt) your data encryption keys with a highly secure root key and also unwrap that key when needed. You can bring your own root keys or create them in the service.

Key Protect is a cloud-based key management system that provides the best of cost, security, and scale. If you are looking for a dedicated key management solution that supports customer-controlled, cloud-based HSMs IBM Cloud Hyper Protect Crypto Services integrates with Key Protect to enable Keep Your Own Keys (KYOK) for IBM Cloud, so your organization has more control and authority over its data. Check out the Hyper Protect Crypto Services offering details page to learn more.

How Key Protect works

IBM Key Protect helps you manage encryption keys throughout your organization by aligning with IBM Cloud IAM roles.

An IT or security admin might need advanced permissions to your instance, keys, or key rings that other users, including auditors, might not. For this reason, Key Protect maps to established IAM roles to allow fine-grained access for each user as needed. For more information, check out Managing users and access.

The following diagram shows how the default IAM roles of manager, reader, and writer can interact with keys that are managed in the service.

The diagram shows the same components as described in the previous definition list. — Figure 1. Shows how different access roles interact with keys.

While a particular user can be assigned specific roles over specific resources (a user with a "Reader" role at the instance level might be a "Manager" of a particular key or key ring), in general:

Readers can access information about keys.
Writers can use keys with an application or service that is integrated with Key Protect
Managers create keys and control their lifecycle (in addition to being able to do everything Readers and Writers can do).

Architecture overview

Key Protect uses the Advanced Encryption Standard algorithm in Galois/Counter Mode (AES GCM) to wrap and unwrap DEKs. CRKs that are not imported are created with 256-bit key material. Imported CRKs can be have 128, 192, or 256-bit key material.

The following architecture diagram shows how Key Protect components work to protect your sensitive data and keys.

The diagram shows how Key Protect components protect sensitive data and keys. — Figure 2. Key Protect architecture

Access to the Key Protect service takes place over HTTPS. All communication uses the Transport Layer Security (TLS) protocol to encrypt data in transit. For more information about TLS and the ciphers supported by Key Protect, check out Data encryption.

Table 2. Key Protect service components
Components	Description
Key Protect REST API	The Key Protect REST API drives encryption key creation and management across IBM Cloud services.
IBM-managed hardware security module	IBM Cloud data centers provide the hardware to protect your keys. Hardware security modules (HSMs) are tamper-resistant hardware devices that store and use cryptographic key material without exposing keys outside of a cryptographic boundary. All cryptographic operations, such as key creation and key rotation, are performed within the HSM. IBM periodically rotates the HSM's master keys, providing an extra layer of security.
Customer-managed encryption keys	Root keys are symmetric keys that protect data encryption keys with envelope encryption. Root keys never leave the boundary of the HSM.
Dedicated key storage	Key metadata is stored in highly durable, dedicated storage for Key Protect that is encrypted at rest with additional application layer encryption.
Fine-grained access control	Key Protect leverages IBM Cloud IAM roles to ensure that users can be assigned appropriate access at the instance, key, and key ring level.