Integration with IBM Key Protect

On IBM Cloud®, with integration of the IBM Key Protect service, you can have direct control over the data in your database and backups. You can manage your own keys in the Key Protect service and you can use your key to control the encryption and decryption of the data in your IBM Db2® as a Service database.

Upon instance creation, your database instance is set to encrypt its data at rest by using the Advanced Encryption Standard (AES) in Cipher-Block Chaining (CBC) mode with a 256-bit data encryption key (DEK). This DEK is then encrypted by a master key that is stored in a PKCS#12 keystore. A password is required to open the keystore. With Key Protect integration, the password is encrypted by a Key Protect root key. You must create a root key in Key Protect and grant your specific Db2 SaaS instance (resource) Reader access to that root key. In the Db2 SaaS web console, you specify the Key Protect instance and the root key to be used. After the association is complete, the specified root key is then used by Db2 SaaS to encrypt and decrypt the keystore password. The root key never leaves Key Protect.

You can rotate the root key in Key Protect. The database instance periodically checks for any key rotation. When a key rotation is detected, a new keystore password and a new master key are correspondingly generated.

When you revoke the root key authorization of the Db2 SaaS service or delete the root key, your database instance can no longer be started after it is stopped because any attempt to access the keystore will fail. Certain operations within the database require access to the keystore and they will begin to fail as well. In addition, any database backups cannot be restored.

Prerequisites

Important: The compliance information provided in this document applies only to IBM Db2 as a Service provisioned on IBM Cloud. It does not apply to the Bring Your Own Cloud (BYOC) deployment model or other cloud platforms.

To integrate the Key Protect feature into the Db2 SaaS service, the Db2 SaaS service instance must be in a resource group. If your Db2 SaaS service instance is a Cloud Foundry service, see Migrating Cloud Foundry service instances and apps to a resource group for information about the migration.

Getting started

Complete the steps in the following sections to get started with using IBM Key Protect to control the encryption and decryption of the data in your Db2 SaaS database.

Creating an IBM Key Protect instance

Procedure

Key Protect is a cloud-based security service that provides lifecycle management for encryption keys that are used in IBM Cloud services or in your applications.

Log in to IBM Cloud.
In the IBM Cloud catalog, open the Key Protect service page and create an instance of the service.
Figure 1. Key Protect service catalog page
After creating the Key Protect service, the Manage page opens where you can create the keys.
Figure 2. The Manage page of the Key Protect service

Creating an encryption key in Key Protect

Procedure

The Key Protect service supports two key types, root keys and standard keys, for the advanced encryption and management of data. For more information, see Key types.

You can create keys or import existing keys by using the following methods:

GUI
- Root key
- Standard key
API
- Root key
- Standard key

For the Db2 SaaS service, a root key is required. The following example shows how to create a root key by using the GUI:

Click Add Key to create a key. In the Add a new key console, you can create a key or import an existing key. Select Create a key.
Figure 3. Console used to create a key
Select Root key as the key type and enter a name for the key. Click Create key.
After the key is created, you can see it in the Key Protect service dashboard.
Figure 4. Key Protect service dashboard

After creating the key in the Key Protect service instance, you can proceed with granting authorization and to use that key in Db2 SaaS.

Granting service authorization

IBM Cloud Identity and Access Management (IAM) provides a feature that is called service-to-service authorization, where you can grant your Db2 SaaS service instance Reader access to your IBM Key Protect service instance.

Procedure

To open the Access (IAM) overview page, click the Manage drop-down menu and select Access (IAM).
Figure 5. Access (IAM) overview page opened from the Manage drop-down menu
To open the Manage Authorizations page, select Authorizations from the Access (IAM) menu in the left pane.
Figure 6. Manage Authorizations page
To create an authorization, click Create.
On the Grant a Service Authorization page, select Db2 SaaS as the source service. You can either select a specific instance, or you can authorize All instances in your account.
Figure 7. Selecting a source service on the Grant a Service Authorization page
Select Key Protect as the target service, and select the Key Protect instance that you want to authorize, or select All instances.
Figure 8. Selecting a target service on the Grant a Service Authorization page
The only permissible service access role that can be assigned is Reader. Assign the Reader role. With a Reader role, you can list only the keys or use the keys to wrap or unwrap any data that is provided by the source.
Figure 9. Assigning the Reader role on the Grant a Service Authorization page

Configuring a Db2 service instance to use Key Protect root key

Procedure

Log in to the Db2 SaaS web console and select SETTINGS > Manage Keys from the hamburger menu.
Figure 10. Navigating to the MANAGE KEYS page
Select the Key Protect instance and the key that you want to use. Click Migrate.
Figure 11. Key migration
Review the settings.

Important: You will not be able to revert the change. Be certain your migration settings are correct for the selected key.

To migrate the key from Key Protect to your Db2 SaaS service, click Continue.
Figure 12. Confirming the key migration
After the key migration request is received, it takes a few minutes to complete. You can check the status of the key migration on this page.
Figure 13. Migration status is shown on MANAGE KEYS page
After the key migration is complete, you now have control over the encryption and decryption of the data in your Db2 SaaS database.
Figure 14. Key migration is completed

If you face any issues, contact IBM Cloud Customer Support.

Rotating the key in Key Protect

If you want to rotate the key in IBM Key Protect, you can do it either from the IBM Cloud console or by using the IBM Key Protect API: Invoke an action on a key.

Removing the authorization of Db2 SaaS service to access Key Protect

You can remove the authorization of a Db2 SaaS service to access the Key Protect service instance by using the IBM Cloud console. In such a case, your database instance can no longer be started after it is stopped because any attempt to access the keystore will fail. Certain operations within the database require access to the keystore and they will begin to fail as well. In addition, any database backups cannot be restored. The access to the database and its backups can be regained after the service-to-service authorization is granted again.

Deleting the root key in Key Protect

You can delete the Key Protect root key by using the IBM Cloud console. In such a case, your database instance can no longer be started after it is stopped because any attempt to access the keystore will fail. Certain operations within the database require access to the keystore and they will begin to fail as well. In addition, any database backups cannot be restored. Deleting the root key permanently prevents the database and its backups to be used again (crypto erasure).