Securing your data in watsonx.data
Know, how your data is encrypted in IBM® watsonx.data to ensure data security.
The watsonx.data service has security that is built into all levels of its architecture.
- Web Console UI, API, Presto, Milvus, and Metadata Service data in motion is encrypted by using SSL/TLS 1.3.
- Web Console UI, API, Presto, and Metadata Service authentication and authorization is via IBM Cloud IAM.
- Presto Kubernetes worker node NVMe SSDs used for local ephemeral RaptorX caching are encrypted by using AES-256.
- Metadata Service backend database is encrypted by using Key Protect.
- Backend object storage repositories for internal metadata and 10 GB limited trial bucket are encrypted by using AES-256. Customer Bring-your-own-key (BYOK) via Key Protect and Keep-your-own-key(KYOK)via Hyper Protect Crypto(HPCS) are supported at provision time
Integrating your data and keys
The backend object storage bucket for internal metadata and 10 GB limited trial bucket for watsonx.data can be encrypted with your encryption keys. If you need to control the encryption keys, use IBM Key Protect or Hyper Protect Crypto Services to create, add, and manage encryption keys. Then, you can associate those keys with your watsonx.data deployment to encrypt your buckets.
IBM Key Protect helps you provision encrypted keys for apps across IBM Cloud services. You manage the lifecycle of your keys and benefit as your keys are secured by FIPS140-2 Level 3 certified cloud-based hardware security modules (HSMs) that protects from information theft.
Hyper Protect Crypto Services is a single-tenant, dedicated HSM that is controlled by you. The service is built on FIPS 140-2 Level 4-certified hardware, the highest offered by any cloud provider in the industry. To get started, you need to provision a Key Protect instance or a Hyper Protect Crypto Services instance on your IBM Cloud account.
Creating or adding a key in the key management service
- To add a key in Key Protect, go to your instance of Key Protect and generate or enter a key.
- To add a key in Hyper Protect Crypto Services, navigate to your instance ofHyper Protect Crypto Services(HPCS) and generate a key.
Regions offered
The chart that follows, shows which keys can be used in which region.
| watsonx.data Regions (IBM) | Key Protect Region Available | HPCS Region Available |
|---|---|---|
| Dallas (US-South) | US-South | US-South |
| Washington (US-East) | US-South | US-East |
| Frankfurt (EU-DE) | EU-DE | N/A |
| London (EU-GB) | EU-DE | N/A |
| Tokyo (JP-Tok) | JP-Tok | N/A |
| Sydney (AU-Syd) | AU-Syd | N/A |
| watsonx.data Regions (AWS) | Key Protect Region Available | HPCS Region Available |
|---|---|---|
| N. Virginia (US-East-1) | US-South | US-East |
| Oregon (US-West-2) | US-South | US-South |
| Frankfurt (EU-Central-1) | EU-DE | N/A |
| Tokyo (JP-Tok) | JP-Tok | N/A |
Granting service authorization
Authorize Key Protect for use with watsonx.data deployments:
- Open your IBM Cloud dashboard.
- From the menu bar, select Manage > Access (IAM).
- In the side navigation, select Authorizations. Click Create.
- In the Source service menu, select the service of the deployment. For example, watsonx.data.
- In the Source service instance menu, select All service instances.
- In the Target service menu, select Key Protect or Hyper Protect Crypto Services.
- In the Target service instance menu, select the service instance to authorize.
- Enable the Reader role. Click Authorize.
Using the key encryption key
After you grant watsonx.data deployments permission to use your keys, you supply the key name or CRN in Key Protect or Hyper Protect Crypto Services when you provision a deployment. The deployment uses your encryption key to encrypt your data.