IBM Cloud Docs
Securing your data with encryption

Securing your data with encryption

Review what data is stored and encrypted when you use IBM Cloud Schematics, and how you can delete any stored user data.

To ensure that you can securely manage your data when you use Schematics, it is important to know what data is stored and encrypted and how you can delete any stored data. Data encryption is performed with keys managed by Key Protect or Hyper Protect Crypto Services.

How your data is stored and encrypted in Schematics

All data, user inputs and the data generated at runtime during execution of Terraform or Ansible automation code is stored in IBM Cloud Object Storage. Data is encrypted at rest with AES GCM 256 encryption using an envelope encryption technique with IBM Cloud managed root keys. Key Protect managed root keys are secured by FIPS 140-2 Level 3 certified cloud-based hardware security modules (HSMs)A physical appliance that provides on-demand encryption, key management, and key storage as a managed service..

Schematics supports three types of root key management:

  1. Schematics owned root key managed by Key Protect. (The default)
  2. Bring your own key (BYOK), managed by Key Protect.
  3. Keep your own key (KYOK), managed by Hyper Protect Crypto Services (HPCS)

Refer to KMS integration for BYOK or KYOK for details on using user managed keys.

Key protect offers manual and automatic key rotation. When you rotate a root key, the registered key is used to re-encrypted Schematics resources with a new key version. You can access the Schematics resources metadata such as details until the rotation completes.

Key deletion or disable

Key Deletion is a destructive action. When you disable or delete a root key that is used to encrypt your Schematics resources, you cannot access transactional data such as activity or job logs, resource list, variable store. However, you can access the metadata details. Furthermore any subsequent deployment or configuration operation through Schematics result in failure. Key deletion or disable events are sent to the IBM Log Analysis Activity Tracker.

Key enable or restore

When you can enable or restore a root key, the Schematics resources transactional data that is inaccessible due to disabled or deleted root key is now accessible. You can also use Schematics resources for deployment or configuration operations. Key enable or restore events are sent to the IBM Log Analysis Activity Tracker.

What technical information is stored in Schematics?

The following technical data is encrypted and stored when you create and use a Schematics workspace:

  • Workspace details
  • Workspace variables
  • Terraform configuration files that your workspace points to
  • Terraform state files
  • Terraform log files
  • User activity logs

Where is my information stored?

By default, all information that is stored in Schematics is encrypted in transit and at rest. To ensure resiliency and high availability, all data stored in the US and EU geographies is replicated across multiple locations in the same geography. When choosing a Schematics location to work with, verify that your data can be stored in these geographic locations.

Location information
Geography/ location API endpoint Data stored Data replicated
North America Public
https://us.schematics.cloud.ibm.com

https://cloud.ibm.com/schematics/overview

Private
https://private-us.schematics.cloud.ibm.com (Deprecated)		 Workspaces that are created with this endpoint and all associated data are stored in the US. Data is replicated between two locations in the US.
Dallas Public
https://us-south.schematics.cloud.ibm.com

Private
https://private-us-south.schematics.cloud.ibm.com		 Workspaces that are created with this endpoint and all associated data are stored in the Dallas location. Data is replicated between two locations in the US.
Washington Public
https://us-east.schematics.cloud.ibm.com

Private
https://private-us-east.schematics.cloud.ibm.com		 Workspaces that are created with this endpoint and all associated data are stored in the Washington location. Data is replicated between two locations in the US.
Europe Public
https://eu.schematics.cloud.ibm.com

Private
https://private-eu.schematics.cloud.ibm.com (Deprecated)		 Workspaces that are created with this endpoint and all associated data are stored in Europe. Data is replicated between two locations in Europe.
Frankfurt Public
https://eu-de.schematics.cloud.ibm.com

Private
https://private-eu-de.schematics.cloud.ibm.com		 Workspaces that are created with this endpoint and all associated data are stored in Frankfurt. Data is replicated between two locations in Europe.
London Public
https://eu-gb.schematics.cloud.ibm.com

Private
https://private-eu-gb.schematics.cloud.ibm.com		 Workspaces that are created with this endpoint and all associated data are stored in London. Data is replicated between two locations in Europe.

How is my information encrypted?

The following image shows the main IBM Cloud Schematics components and operational data flows. The interactions for encrypting user data using customer-managed Key Protect and Hyper Protect Crypto Services, and storage in IBM Cloud Object Storage are depicted.

IBM Cloud Schematics architecture and data encryption process
IBM Cloud Schematics architecture and data encryption process

  1. A user sends a request to create a Schematics workspace to the Schematics API server. An IAM request is made to check if the user is authorized to perform Schematics operations for the workspace.
  2. The API server retrieves the Terraform template and input variables from your GitHub or GitLab source repository, or a tape archive file (.tar) that you uploaded from your local machine. User data in transit is protected with TLS.
  3. All user-initiated actions, creating a workspace, generating a Terraform execution plan, or applying a plan are sent to RabbitMQ and added to the internal queue. The Schematics engine retrieves requests from RabbitMQ and executes the actions. User data in transit is protected with TLS.
  4. The Schematics engine runs the tasks to provision, modify, or delete IBM Cloud resources.
  5. To protect user data at rest, IBM Cloud Schematics encrypts data with AES GCM 256 encryption. Envelope encryption with root keys managed with Key Protect and Hyper Protect Crypto Services is used to generate and encrypt unique data encryption keys (DEK) for the data objects.
  6. Workspace transactional data is encrypted using the DEKs, including logs and the Terraform tf.state file at rest. The encrypted data stored in an IBM Cloud Object Storage bucket .
  7. Workspace operational data, workspace and job names, pointers to user data in IBM Cloud Object Storage and search keys, are stored in IBM Cloudant. All information stored in Cloudant is encrypted with AES 256. For more information on Cloudant data security and encryption, see Cloudant Security.

How can I delete my information?

To remove your data from IBM Cloud Schematics, choose among the following options:

  • Delete the workspace: When you delete your workspace, all the data related to the workspace is permanently deleted.
  • Open an IBM Cloud support case: Contact IBM Support to remove your workspaces and any associated data by opening a support case. For more information, see Getting support.
  • End your IBM Cloud subscription: A Schematics cleanup job runs multiple times a day to verify that all workspaces that are stored by IBM belong to an active IBM Cloud account. If no active account is found, the workspace and all associated stored data is deleted.