Integrating services
IBM® Key Protect for IBM Cloud® integrates with a number of IBM Cloud services to enable encryption with customer-managed keys for those services. Encryption with customer-managed encryption keys is sometimes called Bring Your Own Key (BYOK).
Database service integrations
You can integrate Key Protect with the following database services.
| Service | Description | Links |
|---|---|---|
| IBM Cloudant for IBM Cloud (IBM Cloud Dedicated) | IBM Cloudant is a document-oriented database as a service (DBaaS). It stores data as documents in JSON format. | View docs |
| IBM Cloud Databases for Elasticsearch | IBM Cloud Databases for Elasticsearch is a managed Elasticsearch service that is hosted in the IBM Cloud and integrated with other IBM Cloud services. | View docs |
| IBM Cloud Databases for EnterpriseDB | IBM Cloud Databases for EnterpriseDB offers a single source for purchase, deployment and support of EDB Postgres Enterprise and Standard editions based on PostgreSQL. | View docs |
| IBM Cloud Databases for etcd | IBM Cloud Databases for etcd is a managed etcd service that is hosted in the IBM Cloud and integrated with other IBM Cloud services. | View docs |
| IBM Cloud Databases for MongoDB | IBM Cloud Databases for MongoDB is a managed MongoDB service that is hosted in the IBM Cloud and integrated with other IBM Cloud services. | View docs |
| Databases for MySQL | IBM Cloud Databases for MongoDB is a managed MySQL service that is hosted in the IBM Cloud and integrated with other IBM Cloud services. | View docs |
| IBM Cloud Databases for PostgreSQL | IBM Cloud Databases for PostgreSQL is a managed PostgreSQL service that is hosted in the IBM Cloud and integrated with other IBM Cloud services. | View docs |
| IBM Cloud Databases for Redis | IBM Cloud Databases for Redis is a managed service that is hosted in the IBM Cloud and integrated with other IBM Cloud services. | View docs |
| IBM Cloud Messages for RabbitMQ | IBM Cloud Messages for RabbitMQ is a managed RabbitMQ service that is hosted in the IBM Cloud and integrated with other IBM Cloud services. | View docs |
| IBM Db2 on Cloud | IBM Db2 on Cloud is an SQL database that is provisioned for you in the cloud. You can use Db2 on Cloud just as you would use any database software, but without the time and expense of hardware setup or software installation and maintenance. | View docs |
| Data Engine | You can use the Data Engine service to run SQL queries (that is, SELECT statements) to analyze, transform, or clean up rectangular data. | View docs |
Storage service integrations
You can integrate Key Protect with the following storage services.
| Service | Description | Integration docs |
|---|---|---|
| Block Storage for VPC | You can use Block Storage for VPC to provide hypervisor-mounted, high-performance data storage for virtual server instances in your VPC. | View docs |
| IBM Cloud Object Storage | You can use IBM Cloud Object Storage to store unstructured data in the IBM Cloud. | View docs |
Compute service integrations
You can integrate Key Protect with the following compute services.
| Service | Description | Integration docs |
|---|---|---|
| IBM Cloud image templates | You can use IBM Cloud image templates to capture an image of a virtual server to quickly replicate its configuration with minimal changes in the order process. With the End to End (E2E) Encryption feature, you can bring your own encrypted, cloud-init enabled operating system image. | View docs |
| KMIP for VMware | KMIP for VMware works together with VMware native vSphere encryption and vSAN encryption to provide simplified storage encryption management together with the security and flexibility of Key Protect or Hyper Protect Crypto Services customer-managed keys. | View docs |
| Virtual Servers for VPC | You can use Virtual Servers for VPC to create an instance that consists of your virtual compute resources and resulting capacity within an IBM Cloud VPC. | View docs |
| Power Virtual Server (Linux) | You can protect Linux Unified Key Setup (LUKS) encryption keys from being compromised by using Key Protect. | View docs |
| Power Virtual Server (AIX) | You can protect Linux Unified Key Setup (LUKS) encryption keys from being compromised by using Key Protect. | View docs |
| Discovery | You can use Discovery to build cognitive, cloud-based exploration applications that analyze and provide new insights within your data. | View docs |
| Speech to Text | You can use Speech to Text to create customizable speech recognition for optimal text transcription in your application. | View docs |
| Text to Speech | You can use Text to Speech's speech-synthesis capabilities to convert written text into natural-sounding speech. | View docs |
| Watson OpenScale | You can use Watson OpenScale to automate and maintain the AI lifecycle in your business applications. | View docs |
| IBM® watsonx™ Assistant | You can use IBM® watsonx™ Assistant to to build your own branded live chatbot into any device, application, or channel. | View docs |
| IBM Watson® Natural Language Understanding | You can use IBM Watson® Natural Language Understanding to analyze semantic features of text input, including categories, concepts, emotion, entities, keywords, metadata, relations, semantic roles, and sentiment. | View docs |
| IBM Watson® Personality Insights | You can use IBM Watson® Personality Insights to analyze semantic features of text input, including categories, concepts, emotion, entities, keywords, metadata, relations, semantic roles, and sentiment. | View docs |
Container service integrations
You can integrate Key Protect with the following container services.
| Service | Description | Integration docs |
|---|---|---|
| IBM Cloud Kubernetes Service | You can use the IBM Cloud Kubernetes Service service to deploy highly available apps in Docker containers that run in Kubernetes clusters. | View docs |
| Red Hat OpenShift on IBM Cloud | You can use the Red Hat OpenShift on IBM Cloud service to deploy secure, highly available apps in OpenShift clusters. | View docs |
Ingestion service integrations
You can integrate Key Protect with the following integration services.
| Service | Description | Integration docs |
|---|---|---|
| IBM Cloud Monitoring | The IBM Cloud Monitoring service is a container-intelligence management system. You can use it to gain operational visibility into the performance and health of your applications, services, and platforms. | View docs |
| IBM Cloud Schematics | The IBM Cloud Schematics service delivers Terraform-as-a-Service. You can use it to organize your IBM Cloud resources across environments by using workspaces. | View docs |
| IBM® Event Streams for IBM Cloud® | The Event Streams service is a high-throughput message bus built with Apache Kafka. You can use it for event ingestion into IBM Cloud and event stream distribution between your services and applications. | View docs |
Developer tools service integrations
You can integrate Key Protect with the following developer tools services.
| Service | Description | Integration docs |
|---|---|---|
| IBM Cloud Continuous Delivery | The Continuous Delivery service provides a suite of tools that support DevOps best practices. You can use the service to manage toolchains, operate delivery pipelines, gain insights into code quality and vulnerabilities, integrate third party tools, and more. | Creating a Continuous Delivery service instance Protecting your personal data when you use the Professional plan |
Understanding your integration
When you integrate a supported service with Key Protect, you enable envelope encryption for that service. This integration allows you to use a root key that you store in Key Protect to wrap the data encryption keys that encrypt your data at rest.
For example, you can create a root key, manage the key in Key Protect, and use the root key to protect the data that is stored across different cloud services.
Key Protect API methods
Behind the scenes, the Key Protect API drives the envelope encryption process.
The following table lists the API methods that add or remove envelope encryption on a resource.
| Method | Description |
|---|---|
POST /keys/{root_key_ID}/actions/wrap |
Wrap (encrypt) a data encryption key |
POST /keys/{root_key_ID}/actions/unwrap |
Unwrap (decrypt) a data encryption key |
To find out more about programmatically managing your keys in Key Protect, check out the Key Protect API reference doc.
Integrating a supported service
To add an integration, create an authorization between services by using the IBM Cloud® Identity and Access Management dashboard. Authorizations enable service to service access policies, so you can associate a resource in your cloud data service with a root key that you manage in Key Protect.
Be sure to provision both services in the same region before you create an authorization. To learn more about service authorizations, see Granting access between services.
When you're ready to integrate a service, use the following steps to create an authorization:
-
From the menu bar, click Manage > Access (IAM), and select Authorizations.
-
Click Create.
-
Select a source and target service for the authorization.
For Source service, select the cloud data service that you want to integrate with Key Protect
For Target service, select IBM Key Protect.
-
Enable the Reader role.
With Reader permissions, your source service can browse the root keys that are provisioned in the specified instance of Key Protect.
-
Click Authorize.
What's next
Add advanced encryption to your cloud resources by creating a root key in Key Protect.
Add a new resource to a supported cloud data service, and then select the root key that you want to use for advanced encryption.
-
To find out more about creating root keys with the Key Protect service, see Creating root keys.
-
To find out more about bringing your own root keys to the Key Protect service, see Importing root keys.