What is IBM Key Protect?

IBM Key Protect helps secure your sensitive data from unauthorized access or inadvertent employee release while meeting compliance auditing standards. It provides mandatory control of user access requests to encryption keys and manages the entire lifecycle of keys from creation through application use, key archival, and key destruction. Offered as a Platform as a Service on the IBM Cloud™, Key Protect provisions and stores cryptographic keys using FIPS 140-2 Level 3 certified (Federal Information Processing Standard) hardware security module (HSM) devices located within secure IBM data centers.

abstract key in circle


Self-managed encryption

Take control

Take control of the security of your encrypted data in the cloud. With the Key Protect API, you can use a customer root key to encrypt and decrypt the keys that protect your data resources.


Generate, store and manage your keys with a secure, application-friendly, cloud-based key-management solution for encryption keys.


Keys are wrapped by keys that are, in turn, protected by a cloud-based HSM. When keys are deleted, they can never be recovered. And any data that is encrypted under those keys can't be recovered.


Whether you're a developer who requires only a few keys or a large enterprise that needs millions, Key Protect can scale to meet your needs.

Application independent

Key Protect standard programmatic APIs generate, store, retrieve and manage your keys, independent of your application's logic.

Follow our step-by-step tutorial to set up and use IBM Key Protect.