Securing your data

Review what personal and sensitive information is stored when you use IBM Cloud Satellite®, how this data is stored and encrypted, and how you can permanently remove this information.

What information is stored with IBM with Satellite?

For every location that you create, IBM stores certain personal and sensitive information. Depending on the type of information, IBM or you are responsible to store this information and protect it. For more information, see How is my information stored, backed up, and encrypted?

Stored information when you create a Satellite location

The following information is stored when you create a Satellite location.

Personal information

The email address of the IBM Cloud account that created the location.

Sensitive information

The TLS certificate and secret that is used for the assigned Satellite control plane domain.
The certificate authority that is used for the TLS certificate.
An IBM-owned encryption key for each location that is used to encrypt the TLS certificates, secrets, and certificate authority of the Satellite control plane domain.
Satellite control plane and Satellite cluster data that can be used to restore the control plane and clusters in a disaster.

Stored information from resources that you create in Satellite

Because Satellite is an extension of IBM Cloud to your own environment, you create many resources whose metadata might be stored, backed up, and encrypted in Satellite.

Do not use sensitive or personally identifiable information for the names, labels, tags, or other metadata for the following items.

Satellite resources, such as the names of locations, hosts, Satellite Link endpoints, Satellite configurations, versions, subscriptions, cluster group names, or storage configurations.
Satellite-enabled services resources, such as the names of service instances or clusters.
Managed Kubernetes resources that run in clusters in your Satellite location, such as the names and resource definitions of deployments, pods, services, secrets, or config maps.
The definitions of resources managed by Satellite config, including their data. Sensitive keys or personally identifiable information can be managed with Secrets Manager, or encrypted with Key Protect.
Any other resources that run in your Satellite location.

How is my information stored, backed up, and encrypted with Satellite?

Review the following image to see how your personal and sensitive information is stored, backed up, and encrypted.

(1) All personal and sensitive information

Review the location, access, backup, and encryption details for personal and sensitive information.

Location: All data is stored in a Satellite persistent storage instance in the location's Satellite management plane.
Access and data management: The persistent storage instance is owned and managed by the Satellite control plane service team. You cannot access the data in the persistent storage instance.
Backup: See 2 and 3 to see how data is backed up.
Encryption: Data is encrypted at rest with a customer root key from an IBM-owned IBM Key Protect service instance.

(2) TLS certificate, TLS secret, and certificate authority to encrypt the Satellite control plane domain

Review the location, access, backup, and encryption details for TLS secret and CA information.

Location: Data is backed up from the Satellite persistent storage instance to an IBM-owned IBM Cloud Object Storage instance.
Access and data management: Access to the IBM-owned IBM Cloud Object Storage service instance is controlled by Cloud Identity and Access Management (IAM) and granted to the Satellite service team and IBM Site Reliability Engineers (SRE) only.
Backup: Every hour
Encryption: All backup data is protected in transit and at rest by a root key that IBM creates and stores in an IBM-owned IBM Key Protect service instance.

(3) All Satellite control plane and cluster data

Review the location, access, backup, and encryption details for control plane and cluster data.

Location: Cluster data such as etcd data is backed up from the Satellite persistent storage instance to a customer-owned IBM Cloud Object Storage instance. Control plane data such as location data is sent to the IBM Cloud Object Storage. You must have an existing IBM Cloud Object Storage instance when you create the location. You can specify an existing bucket in the IBM Cloud Object Storage instance that you want Satellite to use. Otherwise, a new bucket is automatically created in your Object Storage instance on your behalf. management plane data is backed up by IBM and stored in an IBM-owned Object Storage instance. Satellite cluster master data is backed up to the Object Storage instance that you own.
Access and data management: Access to the customer-owned IBM Cloud Object Storage service instance is controlled by IAM.
etcd Backup: Every 8 hours
Location control plane Backup: Every hour
Encryption: Data is automatically encrypted by using the default built-in encryption mechanisms in IBM Cloud Object Storage. You can further choose to protect your data by using a root key in IBM Key Protect and use the key to encrypt the data in your bucket. For more information, see the IBM Cloud Object Storage documentation.

The time to recover a location or cluster depends on the size of the location or cluster and the network latency between IBM Cloud and your host infrastructure.

Where can I find information about the data that my managed services store?

You can find information about the data that is stored by your managed service by reading the data security topic for each service.

Which IBM Cloud region is my information stored in?

Where your Satellite information is stored depends on the IBM Cloud region that manages the control plane of your Satellite location. By selecting the IBM Cloud region that is closest to the infrastructure provider for your Satellite location, your data is automatically spread across zones in that region for high availability. Because the zones of an IBM Cloud region might be in a different city or country than the infrastructure hosts that you bring to your Satellite location, make sure that your data can be stored in the selected IBM Cloud region.

How can I remove my information?

Review your options to remove your personal and sensitive information from IBM Cloud Satellite.

Removing personal and sensitive information is permanent and cannot be undone. Make sure that you want to permanently remove your information before you proceed.

Deleting a location does not remove all information from IBM Cloud Satellite. When you delete a location, location-specific information is removed from the etcd instance that is managed by IBM. However, your information still exists in the following places.

Data that IBM manages: A backup of the Satellite location is in IBM Cloud Object Storage and can still be accessed by the IBM service team. To remove all data that IBM stores, choose between the following options. Note that removing your personal and sensitive information requires all your Satellite locations to be deleted as well. Make sure that you backed up your data before your proceed.
- Open an IBM Cloud support case: Contact IBM Support to remove your personal and sensitive information from IBM Cloud Satellite. For more information, see Getting support.
- End your IBM Cloud subscription: After you end your IBM Cloud subscription, all personal and sensitive information is permanently removed.
Cluster data in IBM Cloud Object Storage: When you create a Red Hat OpenShift on IBM Cloud cluster, some cluster data is backed up to an Object Storage instance in your account. To delete the data, review the Object Storage documentation.
Cluster data on the local host: Because the cluster masters run on your Satellite location control plane hosts, the data is still available on the physical hosts in your infrastructure provider after you delete the Satellite location. To delete the data, consult your infrastructure provider documentation to reload the operating system or delete the host.