Keep Your Own Key (KYOK)

Important: This content is a technical preview, and should not be relied on in a production environment.

With KYOK, you can use IBM Multicloud Manager Key Protect service to manage client root keys (CRKs) and to use a Hardware Security Module (HSM) for encryption.

The CRKs can be used to encrypt data encryption keys (DEKs) that are used to encrypt data in services that run on IBM® Cloud. Authentication and authorization to access the IBM Multicloud Manager Key Protect service is done by using service tokens that are created in IBM® Cloud. The service tokens are transformed into IBM Multicloud Manager service tokens by using a policy-driven IBM Multicloud Manager Secure Token Service (STS).

You must set up secure network connectivity with the required security controls to allow communication between IBM® Cloud services and the IBM Multicloud Manager Key Protect service.

IBM® Cloud Private Key Protect service works in a single cluster. With IBM Multicloud Manager, you can use the IBM Cloud Private Key Protect service in a multizone environment and use the STS to support the KYOK scenario.