IBM Cloud Docs
Integrating with IBM Cloud Object Storage

Integrating with IBM Cloud Object Storage

IBM® Key Protect for IBM Cloud® and IBM Cloud® Object Storage work together to help you own the security of your at rest data. Learn how to add advanced encryption to your IBM Cloud® Object Storage resources by using the IBM Key Protect service.

About IBM Cloud Object Storage

IBM Cloud Object Storage provides cloud storage for unstructured data. Unstructured data refers to files, audio/visual media, PDFs, compressed data archives, backup images, application artifacts, business documents, or any other binary object.

To maintain data integrity and availability, IBM Cloud Object Storage slices and disperses data to storage nodes across multiple geographic locations. No complete copy of the data resides in any single storage node, and only a subset of nodes needs to be available so you can fully retrieve the data on the network.

Provider-side encryption is provided, so your data is secured at rest and in flight. To manage storage, you create buckets and import objects with the IBM Cloud console, or programmatically by using the IBM Cloud Object Storage REST API.

For more information, see About COS.

How the integration works

Key Protect integrates with IBM Cloud Object Storage to help you achieve full control of the security of your data.

As you move data into your instance of IBM Cloud Object Storage, the service automatically encrypts your objects with data encryption keys (DEKs).

Within IBM Cloud Object Storage, DEKs are stored in the service securely, near the resources that they encrypt. When you need to access a bucket, the service checks your user permissions and decrypts the objects within the bucket for you. This encryption model is called provider-managed encryption.

To enable the security benefits of customer-managed encryption, you can add envelope encryption to your DEKs in IBM Cloud Object Storage by integrating with the Key Protect service. With Key Protect, you provision highly secure root keys, which serve as a master keys that you control in the service.

When you create a bucket in IBM Cloud Object Storage, you can configure envelope encryption for the bucket at its creation. This added protection wraps (or encrypts) the DEKs associated with the bucket by using a root key that you manage in Key Protect.

The practice, called key wrapping, uses multiple AES algorithms to protect the privacy and the integrity of your DEKs, so only you control access to their associated data.

Figure 1 shows how Key Protect integrates with IBM Cloud Object Storage to further secure your encryption keys.

The figure shows a contextual view of envelope encryption.
Contextual view of envelope encryption.

To learn more about how envelope encryption works in Key Protect, see Protecting data with envelope encryption.

Adding envelope encryption to your storage buckets

After you designate a root key in Key Protect and grant access between your services, you can enable envelope encryption for a specified storage bucket by using the IBM Cloud Object Storage GUI.

To enable advanced configuration options for your storage bucket, ensure that an authorization exists between your IBM Cloud Object Storage and Key Protect instances.

To add envelope encryption to your storage bucket:

  1. From your IBM Cloud Object Storage dashboard, click Create bucket.

  2. Specify the bucket's details.

  3. In the Advanced Configuration section, select Add Key Protect Keys.

  4. From the list of Key Protect service instances, select the instance that contains the root key that you want to use for key wrapping.

  5. For Key Name, select the alias of the root key.

  6. Click Create to confirm the bucket creation.

From the IBM Cloud Object Storage GUI, you can browse the buckets that are protected by a Key Protect root key.

What's next

  • For more information about associating your storage buckets with Key Protect keys, see Manage encryption.