IBM Cloud Docs
Bring Your Own Key for dedicated workloads

Bring Your Own Key for dedicated workloads

An IBM® Key Protect for IBM Cloud® instance is provided when you provision your IBM Cloud for VMware Cloud Foundation as a Service instance or you can Bring Your Own Key (BYOK) for dedicated workload virtual machine (VM) encryption. An IBM Key Protect instance is required for customer-managed keys. Review the following important requirements to ensure that your VMs work properly with the encryption.

Understanding your responsibilities when you use Key Protect

Review the following documentation for details on roles and responsibilities for managing your Key Protect instance.

Understanding your responsibilities when you BYOK

Review the following to understand critical responsibilities when you manage your own Key Protect instance. It is your responsibility to work with IBM Key Protect support for recovery, if necessary.

  • Removing a Key Protect instance: If you delete or disable your Key Protect instance, the KMS encryption keys and KMS instance sever the decryption path for any workloads that are hosted on VMware Cloud Foundation (VCF) as a Service in IBM Cloud.
  • Renewing a Key Protect certificate: You must create an IBM Support case to notify VCF as a Service engineers before any certificate rotation associated with Key Protect to ensure proper coordination and to prevent unintended service disruptions.

Before you begin

If you have existing workloads to migrate to the new Key Protect instance, you must schedule a maintenance window with IBM Support to rekey the existing workloads. You must schedule the maintenance window outside of your backup window.

  • The time to rekey depends on the number of existing workloads.
  • Each workload to rekey must not have a snapshot.
  • The expected behavior during the rekey is that the VMs remain operational.

Procedure to request to Bring Your Own Key

  1. Go to the IBM Cloud Support Center.

  2. Scroll down and click Create case.

  3. In the Category section, click All topics.

  4. In the Topic section, select the following:

    1. For Topic, select VMware Cloud Foundation as a Service.
    2. For Subtopic, select Other and click Next.
  5. In the Details section, provide the following information and then click Next.

    1. For Subject, enter Bring Your Own Key for a VCF as a Service instance
    2. For Description, provide the following details to help IBM Support tailor your needs and to help ensure a smooth setup process.
    • Detailed description: Request that VCF as a Service engineers configure the VCF as a Service instance to point to your customer provisioned IBM Key Protect instance.
    • Private endpoint URL: Specify the private endpoint URL and port of your IBM Key Protect instance.

    To find your private endpoint URL, navigate to IBM Cloud > Resources > Security > Key_Protect_instance > Endpoints.

    Identify the instance private endpoint in the following format: private.[region].kms.cloud.ibm.com:[port]. For example, private.us-south.kms.cloud.ibm.com:5696.

  6. In the Review section, review the case details and click Submit case.

After you submit the case, you receive a confirmation email with a case number for your records. The IBM Support team configures your endpoint and provides the VCF as a Service certificate.

Next steps

After the IBM Support team provides you with the VCF as a Service certificate, you must import it to your Key Protect instance. For more information about certificates, see Step 4 in Creating an adapter.

Refer to the support case number to confirm that the operation is complete and request that VCF as a Service engineers validate that the trust relationship is healthy. The VCF as a Service engineers complete any necessary rekey workloads and provide confirmation when the work is complete.