IBM Cloud Docs
Securing your data in watsonx.data

Securing your data in watsonx.data

Know, how your data is encrypted in IBM® watsonx.data to ensure data security.

The watsonx.data service has security that is built into all levels of its architecture.

  1. Web Console UI, API, Presto, Milvus, and Metadata Service data in motion is encrypted by using SSL/TLS 1.3.
  2. Web Console UI, API, Presto, and Metadata Service authentication and authorization is via IBM Cloud IAM.
  3. Presto Kubernetes worker node NVMe SSDs used for local ephemeral RaptorX caching are encrypted by using AES-256.
  4. Metadata Service backend database is encrypted by using Key Protect.
  5. Backend object storage repositories for internal metadata and 10 GB limited trial bucket are encrypted by using AES-256. Customer Bring-your-own-key (BYOK) via Key Protect and Keep-your-own-key(KYOK)via Hyper Protect Crypto(HPCS) are supported at provision time

Integrating your data and keys

The backend object storage bucket for internal metadata and 10 GB limited trial bucket for watsonx.data can be encrypted with your encryption keys. If you need to control the encryption keys, use IBM Key Protect or Hyper Protect Crypto Services to create, add, and manage encryption keys. Then, you can associate those keys with your watsonx.data deployment to encrypt your buckets.

IBM Key Protect helps you provision encrypted keys for apps across IBM Cloud services. You manage the lifecycle of your keys and benefit as your keys are secured by FIPS140-2 Level 3 certified cloud-based hardware security modules (HSMs) that protects from information theft.

Hyper Protect Crypto Services is a single-tenant, dedicated HSM that is controlled by you. The service is built on FIPS 140-2 Level 4-certified hardware, the highest offered by any cloud provider in the industry. To get started, you need to provision a Key Protect instance or a Hyper Protect Crypto Services instance on your IBM Cloud account.

Creating or adding a key in the key management service

  1. To add a key in Key Protect, go to your instance of Key Protect and generate or enter a key.
  2. To add a key in Hyper Protect Crypto Services, navigate to your instance ofHyper Protect Crypto Services(HPCS) and generate a key.

Regions offered

The chart that follows, shows which keys can be used in which region.

Regions - IBM
watsonx.data Regions (IBM) Key Protect Region Available HPCS Region Available
Dallas (US-South) US-South US-South
Washington (US-East) US-South US-East
Frankfurt (EU-DE) EU-DE N/A
London (EU-GB) EU-DE N/A
Tokyo (JP-Tok) JP-Tok N/A
Sydney (AU-Syd) AU-Syd N/A
Regions - AWS
watsonx.data Regions (AWS) Key Protect Region Available HPCS Region Available
N. Virginia (US-East-1) US-South US-East
Oregon (US-West-2) US-South US-South
Frankfurt (EU-Central-1) EU-DE N/A
Tokyo (JP-Tok) JP-Tok N/A

Granting service authorization

Authorize Key Protect for use with watsonx.data deployments:

  1. Open your IBM Cloud dashboard.
  2. From the menu bar, select Manage > Access (IAM).
  3. In the side navigation, select Authorizations. Click Create.
  4. In the Source service menu, select the service of the deployment. For example, watsonx.data.
  5. In the Source service instance menu, select All service instances.
  6. In the Target service menu, select Key Protect or Hyper Protect Crypto Services.
  7. In the Target service instance menu, select the service instance to authorize.
  8. Enable the Reader role. Click Authorize.

Using the key encryption key

After you grant watsonx.data deployments permission to use your keys, you supply the key name or CRN in Key Protect or Hyper Protect Crypto Services when you provision a deployment. The deployment uses your encryption key to encrypt your data.