IBM Key Protect is Now Available for IBM Cloud Kubernetes Service

Share this post:

IBM Key Protect is now available for IBM Cloud Kubernetes Service

Having the ability to use encryption key management to protect applications and support data in a public cloud environment is a critical component of all enterprise security governance protocols. IBM’s key management service, IBM Key Protect, is now supported for use by IBM Cloud Kubernetes Service.

What is IBM Cloud Kubernetes Service?

IBM Cloud Kubernetes Service is a managed Kubernetes offering to deliver powerful management tools, an intuitive user experience, and built-in security and isolation to enable rapid delivery of applications—all while leveraging IBM Cloud services like cognitive capabilities from Watson. IBM Cloud Kubernetes Service provides native Kubernetes capabilities like intelligent scheduling, self-healing, horizontal scaling, service discovery & load balancing, automated rollouts and rollbacks, and secret and configuration management. IBM is also adding capabilities to the Kubernetes Service, including simplified cluster management, container security and isolation choices, the ability to design your own cluster, completely native Kubernetes CLI and API, and integrated operational tools or support to bring your own tools to ensure operational consistency with other deployments.

What is Key Protect?

IBM Key Protect is an encryption key management service (KMS) that offers a simple and economical key management solution for managing keys that are used to encrypt applications and data-at-rest in the IBM Cloud. Key Protect manages the entire life-cycle of keys, from key creation through application use, key archival, and key destruction, while also enforcing separation of duties between data management and key management.

Company policies, industry best practices, and government regulations increasingly require data-at-rest encryption with encryption key management to be included as fundamental components of overall data storage, data management, and data governance. By providing the mandatory control of user access requests to encryption keys, IBM Key Protect helps clients secure their sensitive data from unauthorized access or inadvertent employee release while meeting compliance auditing standards. You can learn more about Key Protect here.


IBM Key Protect supports bring-your-own-key (BYOK) customer-managed encryption, which allows users to import master root-of-trust encryption keys created within an internal, on-premise key management service to secure data stored in the cloud. Security professionals like BYOK because sensitive data is now protected by their own encryption keys. If there is a threat to the security of the data, all they do is delete the key and access to the data is eliminated. The data is what we call “cryptographically erased.” Other reasons customers may want to remove their keys is personnel turnover, employee mistakes, process malfunction, key expiration policy, CISO compliance requirements, or industry standards mandate. BYOK is like running your own private key infrastructure environment as a cloud application, except you don’t have to manage the infrastructure.

Use cases

What do you do if your keys are compromised?

IBM Cloud Kubernetes Service support for Key Protect ensures that you can revoke your keys or rotate those keys as needed, ensuring tight access controls to your environments.

Concerned about the default encryption for Kubernetes secrets?

By default, the Kubernetes master (API server) stores secrets as base64 encoded plain text in etcd.  Using Key Protect ensures your keys are secured by FIPS 140-2 Level 2 certified cloud-based hardware security modules (HSMs) that protect against the theft of information.

Using Key Protect with the Kubernetes Service

After creating the key, you can apply that to your cluster in the UI or using the CLI. Full documentation for the integration is here. Once the cluster is deployed, you can enable Key Protect for the Kubernetes secrets.

Where are my worker node LUKS encryption keys stored?

By default, your Kubernetes cluster’s worker nodes have a second partition for the container file system and is unlocked by using LUKS encryptions keys. Now those keys are secured in IBM Key Protect. Learn more about encrypted disks.

Contact us

If you have questions, engage our team via Slack by registering here and join the discussion in the #general channel on our public IBM Cloud Kubernetes Service Slack.

You can register here ( and join the discussion at

Program Director, Offering Management, IBM Kubernetes Service & IBM Container Registry

More Security stories
October 22, 2018

Use Your Own Provider for Mail Sent with IBM Cloud App ID

With IBM Cloud App ID’s Cloud Directory feature, you can add sign-up and sign-in to your mobile or web apps and create a user registry to manage users. Cloud Directory supports sending email messages to your users to verify their email address, allows them to reset their password, and more.

Continue reading

September 11, 2018

IBM Key Protect Now Available in U.S. East Region on IBM Public Cloud

We're excited to announce that we are adding to our U.S. geographical coverage, and IBM’s key management service, IBM Key Protect, is now available in the U.S. East region based out of Washington D.C.

Continue reading

September 7, 2018

Use App ID to Authenticate Your Users in Your Lite IBM Cloud App

Were excited to announce that IBM Cloud App ID just launched a new Lite plan as part of the IBM Cloud Lite account. As part of the Lite plan, you will be able to try out all of App ID's capabilities.

Continue reading