IBM Cloud Docs
Integrating services

Integrating services

IBM® Key Protect for IBM Cloud® integrates with a number of IBM Cloud services to enable encryption with customer-managed keys for those services. Encryption with customer-managed encryption keys is sometimes called Bring Your Own Key (BYOK).

Database service integrations

You can integrate Key Protect with the following database services.

Table 1. Supported database services.
Service Description Links
IBM Cloudant for IBM Cloud (IBM Cloud Dedicated) IBM Cloudant is a document-oriented database as a service (DBaaS). It stores data as documents in JSON format. View docs
IBM Cloud Databases for DataStax IBM Cloud Databases for DataStax, an enterprise-grade Apache Cassandra cloud solution with high performance, workload flexibility, and proven reliability. View docs
IBM Cloud Databases for Elasticsearch IBM Cloud Databases for Elasticsearch is a managed Elasticsearch service that is hosted in the IBM Cloud and integrated with other IBM Cloud services. View docs
IBM Cloud Databases for EnterpriseDB IBM Cloud Databases for EnterpriseDB offers a single source for purchase, deployment and support of EDB Postgres Enterprise and Standard editions based on PostgreSQL. View docs
IBM Cloud Databases for etcd IBM Cloud Databases for etcd is a managed etcd service that is hosted in the IBM Cloud and integrated with other IBM Cloud services. View docs
IBM Cloud Databases for MongoDB IBM Cloud Databases for MongoDB is a managed MongoDB service that is hosted in the IBM Cloud and integrated with other IBM Cloud services. View docs
Databases for MySQL IBM Cloud Databases for MongoDB is a managed MySQL service that is hosted in the IBM Cloud and integrated with other IBM Cloud services. View docs
IBM Cloud Databases for PostgreSQL IBM Cloud Databases for PostgreSQL is a managed PostgreSQL service that is hosted in the IBM Cloud and integrated with other IBM Cloud services. View docs
IBM Cloud Databases for Redis IBM Cloud Databases for Redis is a managed service that is hosted in the IBM Cloud and integrated with other IBM Cloud services. View docs
IBM Cloud Hyper Protect DBaaS for MongoDB Hyper Protect DBaaS for MongoDB offers fully managed and highly secure MongoDB databases with a high level of data confidentiality for your sensitive data. View docs
IBM Cloud Hyper Protect DBaaS for PostgreSQL Hyper Protect DBaaS for PostgreSQL offers fully managed and highly secure PostgreSQL databases with a high level of data confidentiality for your sensitive data. View docs
IBM Cloud Messages for RabbitMQ IBM Cloud Messages for RabbitMQ is a managed RabbitMQ service that is hosted in the IBM Cloud and integrated with other IBM Cloud services. View docs
IBM Db2 on Cloud IBM Db2 on Cloud is an SQL database that is provisioned for you in the cloud. You can use Db2 on Cloud just as you would use any database software, but without the time and expense of hardware setup or software installation and maintenance. View docs
Data Engine You can use the Data Engine service to run SQL queries (that is, SELECT statements) to analyze, transform, or clean up rectangular data. View docs

Storage service integrations

You can integrate Key Protect with the following storage services.

Table 2. Supported storage services.
Service Description Integration docs
Block Storage for VPC You can use Block Storage for VPC to provide hypervisor-mounted, high-performance data storage for virtual server instances in your VPC. View docs
IBM Cloud Object Storage You can use IBM Cloud Object Storage to store unstructured data in the IBM Cloud. View docs

Compute service integrations

You can integrate Key Protect with the following compute services.

Table 3. Supported compute services.
Service Description Integration docs
IBM Cloud image templates You can use IBM Cloud image templates to capture an image of a virtual server to quickly replicate its configuration with minimal changes in the order process. With the End to End (E2E) Encryption feature, you can bring your own encrypted, cloud-init enabled operating system image. View docs
KMIP for VMware KMIP for VMware works together with VMware native vSphere encryption and vSAN encryption to provide simplified storage encryption management together with the security and flexibility of Key Protect or Hyper Protect Crypto Services customer-managed keys. View docs
Virtual Servers for VPC You can use Virtual Servers for VPC to create an instance that consists of your virtual compute resources and resulting capacity within an IBM Cloud VPC. View docs
Power Virtual Server (Linux) You can protect Linux Unified Key Setup (LUKS) encryption keys from being compromised by using Key Protect. View docs
Power Virtual Server (AIX) You can protect Linux Unified Key Setup (LUKS) encryption keys from being compromised by using Key Protect. View docs
Discovery You can use Discovery to build cognitive, cloud-based exploration applications that analyze and provide new insights within your data. View docs
Language Translator You can use Language Translator to identify the language in text and convert it into other languages. View docs
Speech to Text You can use Speech to Text to create customizable speech recognition for optimal text transcription in your application. View docs
Text to Speech You can use Text to Speech's speech-synthesis capabilities to convert written text into natural-sounding speech. View docs
Tone Analyzer You can use Tone Analyzer to detect emotional and language tones in your written texts. View docs
Knowledge Studio You can use Knowledge Studio to understand the linguistic nuances, meaning, and relationships specific to your industry. View docs
Watson OpenScale You can use Watson OpenScale to automate and maintain the AI lifecycle in your business applications. View docs
IBM® watsonx™ Assistant You can use IBM® watsonx™ Assistant to to build your own branded live chatbot into any device, application, or channel. View docs
IBM Watson® Natural Language Understanding You can use IBM Watson® Natural Language Understanding to analyze semantic features of text input, including categories, concepts, emotion, entities, keywords, metadata, relations, semantic roles, and sentiment. View docs
IBM Watson® Personality Insights You can use IBM Watson® Personality Insights to analyze semantic features of text input, including categories, concepts, emotion, entities, keywords, metadata, relations, semantic roles, and sentiment. View docs

Container service integrations

You can integrate Key Protect with the following container services.

Table 4. Supported container services.
Service Description Integration docs
IBM Cloud Kubernetes Service You can use the IBM Cloud Kubernetes Service service to deploy highly available apps in Docker containers that run in Kubernetes clusters. View docs
Red Hat OpenShift on IBM Cloud You can use the Red Hat OpenShift on IBM Cloud service to deploy secure, highly available apps in OpenShift clusters. View docs

Ingestion service integrations

You can integrate Key Protect with the following integration services.

Table 5. Supported integration services.
Service Description Integration docs
IBM Cloud Monitoring The IBM Cloud Monitoring service is a container-intelligence management system. You can use it to gain operational visibility into the performance and health of your applications, services, and platforms. View docs
IBM Cloud Schematics The IBM Cloud Schematics service delivers Terraform-as-a-Service. You can use it to organize your IBM Cloud resources across environments by using workspaces. View docs
IBM® Event Streams for IBM Cloud® The Event Streams service is a high-throughput message bus built with Apache Kafka. You can use it for event ingestion into IBM Cloud and event stream distribution between your services and applications. View docs

Developer tools service integrations

You can integrate Key Protect with the following developer tools services.

Table 6. Supported developer tools services.
Service Description Integration docs
IBM Cloud Continuous Delivery The Continuous Delivery service provides a suite of tools that support DevOps best practices. You can use the service to manage toolchains, operate delivery pipelines, gain insights into code quality and vulnerabilities, integrate third party tools, and more. Creating a Continuous Delivery service instance Protecting your personal data when you use the Professional plan

Understanding your integration

When you integrate a supported service with Key Protect, you enable envelope encryption for that service. This integration allows you to use a root key that you store in Key Protect to wrap the data encryption keys that encrypt your data at rest.

For example, you can create a root key, manage the key in Key Protect, and use the root key to protect the data that is stored across different cloud services.

The diagram shows a contextual view of your Key Protect integration.
Figure 1. Contextual view of Key Protect integration.

Key Protect API methods

Behind the scenes, the Key Protect API drives the envelope encryption process.

The following table lists the API methods that add or remove envelope encryption on a resource.

Table 6. Describes the Key Protect API methods.
Method Description
POST /keys/{root_key_ID}/actions/wrap Wrap (encrypt) a data encryption key
POST /keys/{root_key_ID}/actions/unwrap Unwrap (decrypt) a data encryption key

To find out more about programmatically managing your keys in Key Protect, check out the Key Protect API reference doc.

Integrating a supported service

To add an integration, create an authorization between services by using the IBM Cloud® Identity and Access Management dashboard. Authorizations enable service to service access policies, so you can associate a resource in your cloud data service with a root key that you manage in Key Protect.

Be sure to provision both services in the same region before you create an authorization. To learn more about service authorizations, see Granting access between services.

When you're ready to integrate a service, use the following steps to create an authorization:

  1. From the menu bar, click Manage > Access (IAM), and select Authorizations.

  2. Click Create.

  3. Select a source and target service for the authorization.

    For Source service, select the cloud data service that you want to integrate with Key Protect

    For Target service, select IBM Key Protect.

  4. Enable the Reader role.

    With Reader permissions, your source service can browse the root keys that are provisioned in the specified instance of Key Protect.

  5. Click Authorize.

What's next

Add advanced encryption to your cloud resources by creating a root key in Key Protect.

Add a new resource to a supported cloud data service, and then select the root key that you want to use for advanced encryption.

  • To find out more about creating root keys with the Key Protect service, see Creating root keys.

  • To find out more about bringing your own root keys to the Key Protect service, see Importing root keys.