Key management services
Use key management services to retrieve and store your encryption keys.
The built-in key manager service
A key management
service is included with Cloud Pak System.
This built-in key manager service runs in the Storehouse process.
The following REST API command is used to retrieve an existing encryption
key for the deployment ID. You can use this command to also to generate
a new key.
GET <KernelService_IP:PORT>/security/resources/encryptionkey/<deploymentID>?type=AES256&keymgr=defaultNote: AES256
is the only supported encryption specification for the built-in key
manager service.
External key manager services
You can write and register a key manager adapter for an external key manager into Cloud Pak System, for use on the system. You or
your key manager application provider must write the adapter. The following REST API command is used
to retrieve an existing encryption key for the deployment ID. You can use this command to also
generate a new
key.
GET <KernelService_IP:PORT>/security/resources/encryptionkey/<deploymentID>?type=AES256&keymgr=<registered key manager name>Note: The
value of the type parameter can be any key type that is supported by the external
key manager service.