IBM Cloud Docs
Deploying the Key Protect console to Satellite

Deploying the Key Protect console to Satellite

After you have successfully deployed your Satellite location, you can initiate a creation request for IBM® Key Protect for IBM Cloud® on Satellite, followed by creating a service ticket to complete the installation.

To ensure that Key Protect is installed in your Satellite location correctly, your configuration parameters, including your Hardware Security Module (HSM) information, are shared out-of-band during your interaction with your service representative.

Note that when you click Create on the catalog page, you initiate a creation request. This request must be followed by an interaction with a service representative (if you have not already initiated this interaction). If you do not contact a service representative, your creation request cannot succeed. While you can intitiate a creation request without first having configured your HSMs, you cannot initiate the request without first having created a Satellite location. The best practice, however, is to begin your interaction with IBM well in advance of your attempt to initiate a creation request.

While the IBM Console is used to create the Key Protect service on Satellite, the console itself cannot currently be used to access the Key Protect APIs that are used to create keys or perform other key actions (such as rotating keys, deleting keys, editing keys, and so on). Those key actions must be performed through direct calls to the Key Protect APIs or by using the CLI.

Before you begin

Before Key Protect on Satellite can be successfully deployed, you must have created a Satellite location and have both deployed and correctly configured at least two HSMs. You must also have gathered the information about the HSM that Satellite must consume and have deployed the IBM Cloud Databases service in your Satellite location.

For the smoothest interaction with your service representative, the best practice is to gather these configuration variables before initiating a creation request for Key Protect on Satellite.

  • HSM IP address: The IP address of your HSM. This is needed in order to connect to the worker nodes that you assigned to Key Protect.
  • HSM server certificate: The NTLS communications used by the Thales HSM requires certificate exchanges between the HSM and Key Protect. You must create a TLS certificate in your HSM and provide the certificate Key Protect will use to verify communications from the HSM.
  • Partition label: The name of the partition that you created for Key Protect to use.
  • Partition crypto officer password: The credential Key Protect needs to login to the relevant partition on the HSM to perform key operations.
  • Master key label: Key Protect uses a Master Key Encryption Key in your partition. A label or name is assigned to this key and is used by Key Protect in PKCS#11 API to refer to the master key.
  • Signing key label: A label or name for a key in a partition, which is used for data authentication such as data signing and verification.
  • Import key label: Key Protect supports importing Bring Your Own Key (BYOK) by a DES3 encryption Key. A label or name is assigned to this key.
  • Secure import key label prefix (TKEK): Key Protect supports a secure mechanism to Bring Your Own Key (BYOK) into an HSM. The prefix used by the HSM for these keys must be known to Key Protect.
  • Activity Tracker ingestions key: To receive audit logs, you must create an IBM Cloud Activity Tracker instance and an ingestion key.

There are two additional credentials you must share before your service can be deployed, the HSM client cert and the HSM client key, but these are not shared as part of deploying the UI itself. These credentials enable NTLS communications used by the Thales HSM for exchanges between the HSM and Key Protect running on your worker node. You must create and register with the HSM a TLS certificate for the worker node (client) that will connect to the HSM and provide the client certificate and key that Key Protect uses to communicate with the HSM. The exact instructions to share these credentials are communicated as part of your conversations with your service representative.

Initiating a Key Protect on Satellite creation request

To provision the Key Protect service, complete the following steps:

  1. Log in to your IBM Cloud account.

  2. Click Catalog to view the list of services that are available on IBM Cloud.

  3. Search for "Key Protect" in the Search the catalog... field and click Key Protect.

  4. On the Key Protect catalog page, select Satellite.

  5. Note the Before you begin checklist and confirm you have completed the required steps.

  6. Select the Key quota you want assigned to this location. This number represents the maximum number of keys which can be created in this location. This number can be changed later by opening a service ticket. Note that the quota can only be set in groups of 100 keys. For more information, check out Pricing for Key Protect on Satellite.

  7. In the Configure your resource section:

    • Give the service a Name. While not necessary, it is a best practice to choose a name relevant to the usage you plan for the service.
    • Select a Resource group. By default the Default resource group will be chosen.
    • (Optional) Give the service a Tag (for example, test) or an Access management tag, which can help categorize the service.

  8. Configure the HSMs the service will connect to. Note that you must configure two HSMs. To configure these HSMs, provide the HSM information you should have gathered before you begin.

  9. After you have checked and double checked your HSM configuration information, click Create to provision Key Protect. Note that the process of creating the database for the service can take more than an hour.

Using the Key Protect service

Now that Key Protect on Satellite has been successfully deployed, you're ready to use Key Protect to encrypt your data at rest, which you can do using the the Key Protect endpoint through the APIs.

  • For information about how envelope encryption works, check out Protecting data with envelope encryption.

  • To learn how to create root keys, check out Creating root keys.

  • If you added a root key to the service, learn more about using the root key to protect the keys that encrypt your data at rest by checking out Wrapping keys.

  • To find out more about authorizing other cloud services to integrate with Key Protect, check out the Integrations documentation.

  • To find out more about programmatically managing your keys, check out the Key Protect API reference documentation.