IBM Key Protect is Now Available for IBM Cloud Kubernetes Service

5 min read

IBM Key Protect is now available for IBM Cloud Kubernetes Service

Having the ability to use encryption key management to protect applications and support data in a public cloud environment is a critical component of all enterprise security governance protocols. IBM’s key management service, IBM Key Protect, is now supported for use by IBM Cloud Kubernetes Service.

What is IBM Cloud Kubernetes Service?

IBM Cloud Kubernetes Service is a managed Kubernetes offering to deliver powerful management tools, an intuitive user experience, and built-in security and isolation to enable rapid delivery of applications—all while leveraging IBM Cloud services like cognitive capabilities from Watson. IBM Cloud Kubernetes Service provides native Kubernetes capabilities like intelligent scheduling, self-healing, horizontal scaling, service discovery & load balancing, automated rollouts and rollbacks, and secret and configuration management. IBM is also adding capabilities to the Kubernetes Service, including simplified cluster management, container security and isolation choices, the ability to design your own cluster, completely native Kubernetes CLI and API, and integrated operational tools or support to bring your own tools to ensure operational consistency with other deployments.

What is Key Protect?

IBM Key Protect is an encryption key management service (KMS) that offers a simple and economical key management solution for managing keys that are used to encrypt applications and data-at-rest in the IBM Cloud. Key Protect manages the entire life-cycle of keys, from key creation through application use, key archival, and key destruction, while also enforcing separation of duties between data management and key management.

Company policies, industry best practices, and government regulations increasingly require data-at-rest encryption with encryption key management to be included as fundamental components of overall data storage, data management, and data governance. By providing the mandatory control of user access requests to encryption keys, IBM Key Protect helps clients secure their sensitive data from unauthorized access or inadvertent employee release while meeting compliance auditing standards. You can learn more about Key Protect here.


IBM Key Protect supports bring-your-own-key (BYOK) customer-managed encryption, which allows users to import master root-of-trust encryption keys created within an internal, on-premise key management service to secure data stored in the cloud. Security professionals like BYOK because sensitive data is now protected by their own encryption keys. If there is a threat to the security of the data, all they do is delete the key and access to the data is eliminated. The data is what we call “cryptographically erased.” Other reasons customers may want to remove their keys is personnel turnover, employee mistakes, process malfunction, key expiration policy, CISO compliance requirements, or industry standards mandate. BYOK is like running your own private key infrastructure environment as a cloud application, except you don’t have to manage the infrastructure.

Use cases

What do you do if your keys are compromised?

IBM Cloud Kubernetes Service support for Key Protect ensures that you can revoke your keys or rotate those keys as needed, ensuring tight access controls to your environments.

Concerned about the default encryption for Kubernetes secrets?

By default, the Kubernetes master (API server) stores secrets as base64 encoded plain text in etcd.  Using Key Protect ensures your keys are secured by FIPS 140-2 Level 2 certified cloud-based hardware security modules (HSMs) that protect against the theft of information.

Using Key Protect with the Kubernetes Service

After creating the key, you can apply that to your cluster in the UI or using the CLI. Full documentation for the integration is here. Once the cluster is deployed, you can enable Key Protect for the Kubernetes secrets.

Using Key Protect with the Kubernetes Service

Where are my worker node LUKS encryption keys stored?

By default, your Kubernetes cluster’s worker nodes have a second partition for the container file system and is unlocked by using LUKS encryptions keys. Now those keys are secured in IBM Key Protect. Learn more about encrypted disks.

Contact us

If you have questions, engage our team via Slack by registering here and join the discussion in the #general channel on our public IBM Cloud Kubernetes Service Slack.

You can register here ( and join the discussion at

Be the first to hear about news, product updates, and innovation from IBM Cloud