Understanding data portability for Key Protect
Data portability involves a set of tools and procedures that enable customers to export the digital artifacts that are needed to implement similar workload and data processing on different service providers or on-premises software. It includes procedures for copying and storing the service customer content, including the related configuration that is used by the service to store and process the data, on the customer’s own location.
As a general rule, it is not possible to export Key Protect keys or the key material of a key generated by Key Protect. This ensures that the root key's plaintext material is never exposed outside of Key Protect's FIPS 140-2 Level 3 certified cloud-based hardware security modules. For more information, check out Data export procedures by key type.
If you use key material to create an imported key, it is the best practice to keep a copy of your imported material.
Responsibilities
IBM Cloud services provide interfaces and instructions to guide the customer to copy and store the service customer content, including the related configuration, on their own selected location.
Users are responsible for the use of the exported data and configuration for data portability to other infrastructures, which includes:
- The planning and execution for setting up alternative infrastructure on different cloud providers or on-premises software that provide similar capabilities to the IBM services.
- The planning and execution for the porting of the required application code on the alternative infrastructure, including the adaptation of customer’s application code, deployment automation, and so on.
- The conversion of the exported data and configuration to the format that’s required by the alternative infrastructure and adapted applications.
For more information about your responsibilities for {{site.data.keyword._service-name_notm}}, check out Understanding your responsibilities with using Key Protect.
Data export procedures by key type
For more information about the two types of keys, check out Key types.
Root keys
Root keys are used to wrap the data encryption key (DEK) used to encrypt your data at rest. Once a root key's plaintext material is generated or imported, it cannot be exported from the Key Protect managed hardware security module (HSM).
To ensure data portability, Key Protect should be used to wrap the data encryption key (DEK) that will encrypt your sensitive data, as outlined in our Wrapping keys with envelope encryption guide. If you wish to discontinue the use of Key Protect to secure your DEK, simply unwrap the DEK's ciphertext to obtain the plaintext DEK originally used to encrypt your sensitive data.
Directly wrapping sensitive data with a root key is not advised.
Standard keys
You may store encrypted DEK material in the Key Protect service by generating a standard key or importing encrypted DEK material to a standard key. To export these data, simply retrieve the standard key and observe the "payload" value returned.