Customer-managed encryption key configuration guide
This document provides instructions for configuring customer-managed encryption keys using IBM Key Protect for IBM OpenPages application provisioning.
Prerequisites: Information required from IBM OpenPages
Before starting the configuration, contact your IBM OpenPages representative to obtain the following values:
| Item | Description | Placeholder |
|---|---|---|
| IBM service ID | IBM Cloud service identifier | <IBM_SERVICE_ID> |
| IBM account ID | IBM Cloud account ID | <IBM_ACCOUNT_ID> |
Architecture overview
The custom encryption key implementation uses:
- IBM Key Protect: Customer-managed encryption key service
- Trusted profile: Secure identity federation between customer and IBM accounts
- Service-to-service authorization: Controlled access for IBM Cloud services (IBM Db2 SaaS, IBM Cloud Object Storage)
Section A: Customer-side configuration
Step 1: Create IBM Key Protect service instance
Create an IBM Key Protect service instance via IBM Cloud catalog. The encryption key can be in a different region than where your IBM OpenPages application will be provisioned.
Step 2: Create encryption key
Create a root key in your IBM Key Protect instance and capture the key CRN for provisioning.
Key CRN Format:
crn:v1:bluemix:public:kms:<REGION>:a/<YOUR_ACCOUNT_ID>:<KEY_PROTECT_INSTANCE_ID>:key:<KEY_ID>
Step 3: Create trusted profile
Create a trusted profile in Cloud Identity and Access Management → Trusted profiles to establish secure access between your account and IBM OpenPages services.
Configure the following:
- Establish trust with service ID:
<IBM_SERVICE_ID>(provided by IBM) - Assign access policy to IBM Key Protect service with Reader and ReaderPlus roles for your encryption key
Capture the profile ID for provisioning.
Profile ID Format:
Profile-<UUID>
Section B: Information required for IBM OpenPages application provisioning
After completing the configuration, provide the following information when provisioning your IBM OpenPages application:
Required fields in provisioning catalog
| Field name | Description | Format |
|---|---|---|
| IBM Key Protect CRN | Specify your encryption key CRN to encrypt all data at rest using your own customer-managed key | crn:v1:bluemix:public:kms:<REGION>:a/<YOUR_ACCOUNT_ID>:<INSTANCE_ID>:key:<KEY_ID> |
| Cloud Identity and Access Management trusted profile ID | Trusted profile ID that grants access to your encryption key | Profile-<UUID> |
Example values
IBM Key Protect CRN:
crn:v1:bluemix:public:kms:us-south:a/1234567890abcdef:a1b2c3d4-e5f6-7890-abcd-ef1234567890:key:9876543210fedcba
Cloud Identity and Access Management trusted profile ID:
Profile-1fd96a98-ffc2-4e11-92ab-fa1de563e19d
Section C: Key management best practices
Key lifecycle management
As the key owner, you are fully responsible for the lifecycle management of your encryption keys. This includes key rotation, monitoring, access control, and deletion policies. Any key lifecycle issues or risks are the customer's responsibility.
Key rotation
IBM Key Protect supports key rotation to enhance security:
- Manual rotation: Rotate keys on-demand based on your security requirements
- Rotation policy: Establish a key rotation schedule per your organization's security policies
- IBM service compatibility: Key rotation does not impact IBM OpenPages services - Encryption and decryption operations continue without interruption using the new key version
For detailed information on key rotation, see IBM Key Protect key rotation.
Key deletion
Deleting an encryption key will make all encrypted data permanently inaccessible. This action is irreversible.
- Never delete a key actively used by IBM OpenPages
- IBM Cloud enforces a 30-day waiting period before deletion
- Consider key disablement for temporary access revocation
For more information, see IBM Key Protect key deletion
Additional resources
- IBM Key Protect
- Cloud Identity and Access Management trusted profiles
- Cloud Identity and Access Management service-to-service authorizations