IBM Cloud Object Storage, a public cloud multi-tenant storage service, is pleased to announce Keep Your Own Key (KYOK) support by integration with IBM Cloud Hyper Protect Crypto Services.
IBM Cloud Hyper Protect Crypto Services is a key management service with key vaulting provided by dedicated, customer-controlled cloud hardware security modules (HSMs) that are built on FIPS 140-2 Level 4-certified hardware, the highest offered by any cloud provider in the industry. With this integration, you now have the ability to get more granular control and authority over the root keys used to add envelop encryption to Data Encryption Keys (DEK’s).
IBM Cloud users can now select from and leverage IBM Public Cloud Object Storage integrations with the following IBM Cloud Key Management Services:
- Bring Your Own Key (BYOK) with IBM Key Protect for IBM Cloud, a multi-tenant key management service secured by FIPS 140-2 Level 3-certified cloud-based HSMs
- Keep Your Own Key (KYOK) with IBM Cloud Hyper Protect Crypto Services, a dedicated key management and HSM service that is controlled by you and built on FIPS 140-2 Level 4-certified hardware.
It is also pertinent to add that IBM Key Protect and Hyper Protect Crypto Services use a common Key Provider API, providing a consistent approach for managing keys. Depending on the use case and security requirements, you can decide which key management service will be best suited for your organization’s needs.
Integration with Hyper Protect Crypto Services is available today in the following regional IBM Public Cloud Object Storage locations:
- US South
- AP Australia
- EU Germany
In the upcoming section, we will focus on leveraging IBM Cloud Object Storage’s integration with Hyper Protect Crypto Services.
Setting up Cloud Object Storage buckets to use Hyper Protect Crypto Services
Before you can begin to leverage the integration benefits, you will need to Provision and Initialize Hyper Protect Crypto Services instance(s). It is also recommended that you review the getting started tutorial on Hyper Protect Crypto Services to learn more and explore the service.
Integration with Hyper Protect Crypto Services is at the object storage bucket level, and you can select from a list of supported global regions when making the selections from the bucket configuration screen.
The option to add Hyper Protect Crypto Services is available at the bucket configuration screen (Figure 1):
During Cloud Object Storage bucket creation, you can add a Hyper Protect Crypto Services key to your buckets (Figure 2):
After the initial selections are made, you can check for the Key Management Service associated with your bucket by looking at the bucket configuration screen (Figure 3):
For a more detailed step-by-step guide on setting up your Cloud Object Storage buckets to use Hyper Protect Crypto Services, you can review our managing encryption documentation page.
For information on the IBM Public Cloud Object Storage offering and details around the features please visit our product page.
For more information on object storage technology, see "What is Object Storage?"