IBM Key Protect Now Available in U.S. East Region on IBM Public Cloud

5 min read

IBM Key Protect is now available in the U.S. East region

Having the ability to use encryption key management to protect applications and support data in a public cloud environment is a critical component of all enterprise security governance protocols. We’re excited to announce that we are adding to our U.S. geographical coverage. IBM’s key management service, IBM Key Protect, is now available in the U.S. East region based out of Washington D.C.

What is Key Protect?

IBM Key Protect is an encryption key management service (KMS) that offers a simple and economical key management solution for managing keys that are used to encrypt applications and data-at-rest in the IBM Cloud. Key Protect manages the entire life-cycle of keys from key creation through application use, key archival, and key destruction while also enforcing separation of duties between data management and key management.

Company policies, industry best practices, and government regulations increasingly require data-at-rest encryption with encryption key management to be included as fundamental components of overall data storage, data management, and data governance. By providing the mandatory control of user access requests to encryption keys, IBM Key Protect helps clients secure their sensitive data from unauthorized access or inadvertent employee release while meeting compliance auditing standards.


IBM Key Protect supports bring-your-own-key (BYOK) customer-managed encryption, which allows users to import into the IBM Cloud master root-of-trust encryption keys created within an internal, on-premise key management service to secure data stored in the cloud. Security professionals like BYOK because sensitive data is now protected by their own encryption keys. If there is a threat to the security of the data, all they do is delete the key and access to the data is eliminated. The data is what we call “cryptographically erased.” Other reasons customers may want to remove their keys is personnel turnover, employee mistakes, process malfunction, key expiration policy, CISO compliance requirements, or industry standards mandate. BYOK is like running your own private key infrastructure environment as a cloud application, except you don’t have to manage the infrastructure.

IBM Key Protect features

  • Allows any encryption-enabled IBM Cloud data-as-a-service offering or internal application to use REST APIs for integrating encryption capabilities with IBM Key Protect, thus eliminating the need to spend the time or effort building proprietary (and often insecure) solutions to protect encryption keys.

  • Provides the ability to delete keys without any residual copies remaining, thereby rendering any data encrypted under those keys cryptographically erased. Once the encryption keys are deleted, you can be assured your data is no longer retrievable, regardless of the application or cloud that stored it.

  • Maintains key vaulting security based upon FIPS 140-2 certified hardware security modules (HSM) located within secure IBM Cloud data centers.

  • Gives cloud system administrators the ability to easily manage their encryption keys while creating roll-based employee access via a simple IBM Cloud IAM resource controlled graphical user interface.

  • Communicates directly with the IBM Activity Tracker service, which provides encryption key api call logs access for security administrators to monitor for abnormal activity and to support industry auditing compliance standards.

  • Offers no-charge pricing for users requiring 20 or fewer keys.

Start using IBM Key Protect today!

Available in the IBM Public Cloud U.S. East Region catalog under the Platform – Security and Identity section. Look for IBM Key Protect icon.


Be the first to hear about news, product updates, and innovation from IBM Cloud