IBM Cloud Docs
Encrypting data with your own keys

Encrypting data with your own keys

IBM Cloud® encrypts all data in transit and at rest. Additionally, you can configure IBM Cloud services to encrypt your data at rest with your own keys, and then monitor the events around the lifecycle of the encryption keys with IBM Cloud® Activity Tracker.

IBM Cloud supports multiple encryption options, whether you're looking for a solution that supports the bring your own key (BYOK) or keep your own key (KYOK) functionality. For an in-depth look at the options to secure your data depending on your organization's needs, see Data security.

Bring your own keys

Many IBM Cloud services support data encryption by using customer-managed keys, also known as bring your own key (BYOK). The most common use case for BYOK is using IBM® Key Protect to bring your encryption keys to the cloud. Key Protect is a multi-tenant service using FIPS 140-2 Level 3 HSM. For a list of services that can be integrated with Key Protect, see Integrating services.

Keep your own keys

IBM Cloud also provides IBM Cloud Hyper Protect Crypto Services, which is a dedicated key management service and hardware security module (HSM). Hyper Protect Crypto Services features keep your own key (KYOK) encryption capabilities backed by FIPS 140-2 Level 4 certification. With this option, it makes the IBM public cloud the industry's most secure and open public cloud for business. For a list of services that can be integrated with Hyper Protect Crypto Services, see Integrating IBM Cloud services with Hyper Protect Crypto Services.

Auditing the lifecycle of your keys

You can use Activity Tracker to monitor the activity of your keys. The Activity Tracker service provides the framework and functions to monitor API calls to services on IBM Cloud and produces the evidence to comply with corporate policies and market industry-specific regulations. Events that are tracked by Activity Tracker are either global or regional, and global events, such as provisioning a service, are available through the global domain instance that is located in Frankfurt. Events that are generated by an instance of Key Protect or Hyper Protect Crypto Services are automatically forwarded to the IBM Cloud instance that is available in the same location.

See Provisioning an instance to configure your monitoring instance. Whether you're using Key Protect or Hyper Protect Crypto Services, you can track events like creating a key, deleting a key, rotating a key, and more: