Configure IBM Key Protect
In this section, you can find details on how to configure IBM Key Protect and add it as a keystore in Data Security Broker Manager.
Overview
The IBM® Key Protect service enables you to provision and store encrypted keys across your IBM Cloud environment. IBM Key Protect provides full encryption visibility and control, allowing you to see and manage data encryption and the entire key lifecycle from a single location.
Procedure
Complete the following steps to configure IBM Key Protect. After completing this procedure, you can add IBM Key Protect as a keystore in Data Security Broker Manager.
To configure IBM Key Protect, do the following:
-
Get an IBM Instance ID in one of the following ways:
-
Using the IBM CLI -- enter the following command in a shell window:
ibmcloud resource service-instance 'Key Protect-dsb-1' -
Using the IBM Cloud web console -- navigate to Services and software and select the Key Protect instance. The GUID is displayed in the sidebar, and is what you use for the instanceID.
-
-
Create and retrieve API Key, in the following way:
-
Open a web browser and navigate to: https://cloud.ibm.com/iam/apikeys.
-
Select Create an IBM Cloud API Key and name the key.
-
Copy or download the key after it's created.
-
-
Create Cloud Object Storage in the resource group.
-
Create a Bucket in the COS instance, for example: bm-ibm-bucket
-
Generate Service Credentials for the COS Bucket.
-
In Object Storage, click on **Service Credentials **in the side panel. Then click New Credential.
-
Enable HMAC and click Add.
Add IBM Key Protect as a keystore in Data Security Broker Manager
Complete the following steps to complete the process for using IBM Key Protect as a keystore in Data Security Broker Manager.
To add IBM Key Protect as a keystore, perform the following steps:
-
In the Data Security Broker Manager console, click the key icon in the left navigation bar. The Keystore window appears.** **
-
Click +Keystore. The Add Keystore dialog appears.
-
Enter a keystore Name and select **IBM Key Protect **in the Keystore Type drop-down menu.
-
Enter the Instance ID, that you have created for the KeyProtect Instance.
-
For App Namespace, enter a string to identify the application.
-
For** IBM Key Protect Alias**, enter a unique string value.
-
For the IAM API Key, use the key that you have created.
-
For IBM region, specify the region for the IBM Key Protect instance.
-
For the IBM Cloud Object Storage URL, specify the IBM endpoint URL for COS, for example: https://s3.us-south.cloud-object-storage.appdomain.cloud
-
Enter the cos_hmac_keys for the Access Key ID and Secret Key.
-
Click Add Keystore. Note: The key will not appear in IBM Key Protect until Data Security Broker Shield has been connected and data encryption migration has occurred.