Access a secure, application-friendly, and cloud-based key management solution.
IBM Db2 on Cloud now offers integration with IBM Key Protect—accessible through the Db2 on Cloud console—so you can upload, change, and manage private encryption keys in one place. Key Protect is a cloud-based security service that provides lifecycle management for encryption keys that are used in IBM Cloud or customer-built applications. Key Protect provides roots of trust (RoT) backed by a hardware security module (HSM).
How it works
With the Key Protect service, Db2 on Cloud will provide your business control over its keys. Db2 on Cloud will use the keys in Key Protect to encrypt the password used to open the local key store. The password for the local key store will be encrypted using the key protect key. Whenever the key store needs to be opened, the encrypted password in the stash file will be decrypted by making the REST calls to the Key Protect API.
Control encrypted data in the cloud
Import your own root of trust encryption keys (CRKs) into Key Protect using the Key Protect API to wrap and unwrap the keys associated with your data resources.
Cloud-based HSM protection
Your keys are wrapped in other encrypted keys protected by a cloud-based HSM. The HSMs are at FIPS-140-2 Level 2. All programmatic interfaces are secured by TLS and mutual authentication. Deleted keys and data under those deleted keys are never recovered.
Key Protect’s APIs generate, store, retrieve, and manage keys independent of your application’s logic. This enables you to create applications that encrypt data in custom databases or use encrypted block storage in an application-specific format.
It’s as easy as 1-2-3:
Create or import a key in the Key Protect service on IBM Cloud.
Grant a service authorization for the Db2 service instance to access the Key Protect service instance.
On the Db2 console, select the key to be used and gain complete control.
Complete self-service options to manage your keys in the IBM Cloud UI or through the Key Protect API, to grant/revoke access service authorization on the IBM Cloud UI, and to select/change the key on the Db2 console.
Key rotation per your security schedule.
Full access to the Key Protect service after migrating your instance to resource groups.