Overview
Encryption solutions to secure your data and your business
IBM Security® Guardium® Data Encryption consists of a unified suite of products built on a common infrastructure. These highly scalable modular solutions, which can be deployed individually or in combination, provide data encryption, tokenization, data masking and key management capabilities to help protect and control access to data across the hybrid multicloud environment. Address data security and privacy regulations such as GDPR, CCPA, PCI DSS and HIPAA by employing methods to de-identify data, such as tokenization and data masking, and managing the encryption key lifecycle with secure key generation and automated key rotation.
Keep the keys to the kingdom and boost your cloud security
Learn how to take ownership of your encryption keys to protect your data in the cloud.
Why Guardium
Customers realize value quickly with the full set of Guardium features
75%
reduction in audit prep with automated compliance audit and reporting
60
billion security events per day in 130+ countries monitored by IBM for constant vigilance
1,000
hours of DBA time saved with automated processes
Benefits
Protect data across environments
Protect your data wherever it resides and help organizations secure their cloud migration.
Address compliance requirements
Address compliance with strong data encryption, robust user access policies, data access audit logging and key management capabilities.
Reduce administrative effort
Centralize encryption and encryption key configuration and policy management through an intuitive web-based interface.
Products
Which Security Guardium Data Encryption products fit your organization?
Guardium® for File and Database Encryption
Address compliance reporting while protecting structured databases, unstructured files and cloud storage services through encryption of data-at-rest with centralized key management, privileged user access control and detailed data access audit logging.

Guardium® for Cloud Key Management
Centralize key management for reduced complexity and operational costs with full lifecycle control of encryption keys, including automated key rotation and expiration management. Bring your own key (BYOK) customer key control allows for the separation, creation, ownership and revocation of encryption keys or tenant secrets used to create them.

Guardium® for Data Encryption Key Management
Centralize key management for Guardium solutions as well as third party devices, databases, cloud services and applications. Support for KMIP—an industry-standard protocol for encryption key exchange—makes it possible for keys to be managed with a common set of policies.

Guardium® for Batch Data Transformation
Enable large-quantity static data masking, which transforms selected data to unreadable forms in order to utilize data sets while preventing misuse of sensitive data. Mask data to share with third parties, before adding to a big data environment, to prepare for safe cloud migration, and more.

Guardium® for Application Encryption
Access DevSecOps-friendly software tools in a solution that is flexible enough to encrypt nearly any type of data passing through an application. Protecting data at the application layer can provide the highest level of security, as it takes place immediately upon data creation or first processing and can remain encrypted regardless of the state—during transfer, use, backup or copy.
Guardium® for Container Data Encryption
This extension to Guardium for File and Database Encryption delivers container-aware data protection and encryption capabilities for granular data access controls and data access logging in containerized environments.
Guardium® for Tokenization
Utilize application-level tokenization and dynamic display security to secure and anonymize sensitive assets whether they reside in the data center, big data environments or the cloud. Because it uses standard protocols and environment bindings, Guardium for Tokenization requires minimal software engineering and can be deployed as an appliance in your virtual format of choice.
Get started
Services
Homomorphic Encryption Services
Fully homomorphic encryption (FHE) allows you to compute on sensitive or regulated data while the data itself remains encrypted. With IBM Security® Homomorphic Encryption Services, you can confidently process and collaborate on encrypted data while preserving privacy.

IBM Security Guardium product family
See other Guardium products that also deliver greater data protection
Resources
What is data encryption?
Find out how data encryption works, why it’s critical, it’s key capabilities and more.
Encryption: Protect your most critical data
Learn how encryption can help safeguard your data against threats and address compliance.
Security Intelligence blog
Read the latest thought leadership on regulatory compliance, data protection, encryption and more.
A guide to FHE
Learn how fully homomorphic encryption enables computation and collaboration while preserving privacy.
Product documentation
Find answers quickly in IBM product documentation.
Guardium user community
Our user community has over 13,000 members. We work together to overcome the toughest challenges of cybersecurity.
Frequently asked questions
Get answers to common questions
Why is data encryption important?
Encryption helps protect private information and other sensitive data, whether the host is online or offline, and even in the event of a breach. As long as the encryption key is secured, the
encrypted data remains protected against unauthorized users.
How do encryption keys work?
Encryption keys are used by the encryption algorithm to “lock” the data during an encoding process such that the data cannot be “unlocked” without access to the encryption key. Encryption keys
are generally kept private. Proper key management is a key factor in keeping your data secure.
Why is encryption key management important?
The loss of any one key can mean that the data it protects will also be lost. It is important to track, manage and protect keys from accidental loss or compromise. Fortunately, GDE automates and
manages the entire encryption key lifecycle.
What is tokenization?
Tokenization is a form of data protection that retains the same type and length of the original data (such as a credit card number) but replaces it with a bogus equivalent called a token. This approach can be used to retain the format of the original data without incurring the risk of exposure.
What is data masking?
Data masking is the general replacement of a character of data with another character of data. An example of masking would be converting 123-45-6789 into ***-**-6789.
What is cryptographic erasure?
The strength of encryption is based on the idea that encrypted data cannot be decrypted without the encryption key. This also means that if the key is intentionally destroyed, the encrypted data can never be decrypted and is effectively made useless. This process is called cryptographic erasure.
What is a hardware security module (HSM)?
An HSM is a computing device or cloud service that generates, secures and manages encryption keys, performs encryption/decryption and other cryptographic functions. It acts as a root of trust for organizations looking for the highest level of security for their encrypted data and encryption keys.