Home Security Guardium Data Encryption IBM Security Guardium Data Encryption
Encrypt your files, databases and applications, address data security and privacy regulations, and control encryption keys for cloud-based data
Book a free live demo
Illustration showing documents being encrypted

IBM Security® Guardium® Data Encryption is a family of data encryption and key management software. The modular components are centrally managed through CipherTrust Manager (formerly known as Data Security Manager or DSM), which manages policies, configurations and encryption keys.

Encryption solutions to secure your data and your business

IBM Security Guardium Data Encryption consists of a unified suite of products built on a common infrastructure. These highly scalable modular solutions, which can be deployed individually or in combination, provide data encryption, tokenization, data masking and key management capabilities to help protect and control access to data across the hybrid multicloud environment. You can address data security and privacy regulations such as GDPR, CCPA, PCI DSS and HIPAA by employing methods to de-identify data, such as tokenization and data masking, and managing the encryption key lifecycle with secure key generation and automated key rotation.

Read the data sheet
Manage encryption key lifecycles

Guardium can also handle encryption key creation, storage, backup and management.

Special report

Check out the X-Force Threat Intelligence Index 2024 for deeper insight into attackers’ tactics and recommendations to safeguard identities

Live demo with an expert

Request a live demo with an expert for any product in the Guardium portfolio

Why Guardium Clients realize value quickly with the full set of Guardium features 9 of 9

9 of 9 categories show IBM Security Guardium as a "strong positive", making it an Overall Leader.

See why KuppingerCole ranks Guardium as a leader

58% of organizations say they have around 21% to 50% of cloud-resident sensitive data that's insufficiently secured.

Learn how to avoid 5 common data security pitfalls
Benefits Protect data across environments

Protect your data wherever it resides and help organizations secure their cloud migration.

Three ways IBM can help handle ransomware attacks
Address compliance requirements

Address compliance with strong data encryption, robust user access policies, data access audit logging and key management capabilities.

Protect you most critical data
Reduce administrative effort

Centralize encryption and encryption key configuration and policy management through an intuitive web-based interface.

Centralize control of your data
Which Security Guardium Data Encryption products fit your organization?
Guardium® for File and Database Encryption Address compliance reporting while protecting structured databases, unstructured files and cloud storage services through encryption of data-at-rest with centralized key management, privileged user access control and detailed data access audit logging.
Guardium® for Cloud Key Management Centralize key management for reduced complexity and operational costs with full lifecycle control of encryption keys, including automated key rotation and expiration management. Bring your own key (BYOK) customer key control allows for the separation, creation, ownership and revocation of encryption keys or tenant secrets used to create them.
Guardium® for Data Encryption Key Management Centralize key management for Guardium solutions as well as third party devices, databases, cloud services and applications. Support for KMIP—an industry-standard protocol for encryption key exchange—makes it possible for keys to be managed with a common set of policies.
Guardium® for Batch Data Transformation Enable large-quantity static data masking, which transforms selected data to unreadable forms in order to utilize data sets while preventing misuse of sensitive data. Mask data to share with third parties, before adding to a big data environment, to prepare for safe cloud migration, and more.

Guardium® for Application Encryption

Access DevSecOps-friendly software tools in a solution that is flexible enough to encrypt nearly any type of data passing through an application. Protecting data at the application layer can provide the highest level of security, as it takes place immediately upon data creation or first processing and can remain encrypted regardless of the state—during transfer, use, backup or copy.

Guardium® for Container Data Encryption

This extension to Guardium for File and Database Encryption delivers container-aware data protection and encryption capabilities for granular data access controls and data access logging in containerized environments.

Guardium® for Tokenization

Utilize application-level tokenization and dynamic display security to secure and anonymize sensitive assets whether they reside in the data center, big data environments or the cloud. Because it uses standard protocols and environment bindings, Guardium for Tokenization requires minimal software engineering and can be deployed as an appliance in your virtual format of choice.

Features Encryption for files, databases and applications

Guardium Data Encryption offers capabilities for protecting and controlling access to files, databases and applications across your organization, in the cloud and on premises, for containerized environments, and for cloud storage services.

Management of user access policies

Guardium Data Encryption allows for granular user access control. Specific policies can be applied to users and groups with controls that include access by process, file type and time of day, among other parameters.

Tokenization and data masking to protect data in use

Format-preserving tokenization obscures sensitive data while dynamic data masking obscures specific parts of a data field. Tokenization methods and data masking policies are controlled through a centralized graphical user interface.

Cloud encryption key orchestration

Clients can manage data encryption keys for their cloud environments from one browser window. Guardium Data Encryption supports bring your own key (BYOK) lifecycle management that allows for the separation, creation, ownership, control and revocation of encryption keys or tenant secrets.

Support for regulatory compliance efforts

Regulations such as HIPAA, PCI DSS, CCPA and GDPR require strong data encryption, robust user access policies and key lifecycle management capabilities. Detailed data access audit logging is available to help organizations with compliance reporting.

Data encryption key centralization through KMIP

CipherTrust Manager centralizes the storage, rotation and lifecycle management of all your encryption keys for KMIP-compatible data repositories. KMIP is an industry-standard protocol for encryption key exchange between clients (appliances and applications) and a server (key store).

Get started with IBM Security Guardium Data Encryption
Resources Encryption: Protect your most critical data

Learn how encryption can help safeguard your data against threats and address compliance.

A guide to FHE

Learn how fully homomorphic encryption enables computation and collaboration while preserving privacy.

Product documentation

Find answers quickly in IBM product documentation.

Related products IBM Security® Guardium® Insights

Get centralized visibility, monitoring, compliance, advanced analytics and data source flexibility. Simplify data security and analytics.

IBM Security® Guardium® Insights SaaS DSPM

Looking to identify shadow data and its movement across applications? Read about the Data Security Posture Management (DSPM) capabilities in Guardium Insights.

IBM Security® Guardium® Data Protection

Monitor data activity and accelerate compliance reporting for data stored anywhere. Discover and classify data and data sources, monitor user activity, and respond to threats in near real time.

IBM Security® Discover and Classify

Enable zero-trust based discovery and classification of sensitive and regulated data, wherever it resides, structured or unstructured, at rest or in motion.

IBM Security® Guardium® Vulnerability Assessment

Scan your data to detect vulnerabilities. Identify threats and security gaps.

IBM Security® Key Lifecycle Manager

Deliver secured key management with reduced costs and greater operational efficiency. Centralize, simplify and automate encryption key management.

Learn more about the Guardium family of products

Frequently asked questions

What is encryption?

Encryption is the process that scrambles readable text so it can only be read by a person who has access to the encryption key.

Why is data encryption important?

Encryption helps protect private information and other sensitive data, whether the host is online or offline, and even in the event of a breach. As long as the encryption key is secured, the encrypted data remains protected against unauthorized users.

How do encryption keys work?

Encryption keys are used by the encryption algorithm to “lock” the data during an encoding process such that the data cannot be “unlocked” without access to the encryption key. Encryption keys are generally kept private. Proper key management is a key factor in keeping your data secure.

Why is encryption key management important?

The loss of any one key can mean that the data it protects will also be lost. It is important to track, manage and protect keys from accidental loss or compromise. Fortunately, Guardium Data Encryption automates and manages the entire encryption key lifecycle.

What is tokenization?

Tokenization is a form of data protection that retains the same type and length of the original data (such as a credit card number) but replaces it with a bogus equivalent called a token. This approach can be used to retain the format of the original data without incurring the risk of exposure.

What is data masking?

Data masking is the general replacement of a character of data with another character of data. An example of masking would be converting 123-45-6789 into ***-**-6789.

What is cryptographic erasure?

The strength of encryption is based on the idea that encrypted data cannot be decrypted without the encryption key. This also means that if the key is intentionally destroyed, the encrypted data can never be decrypted and is effectively made useless. This process is called cryptographic erasure.

What is a hardware security module (HSM)?

An HSM is a computing device or cloud service that generates, secures and manages encryption keys, performs encryption/decryption and other cryptographic functions. It acts as a root of trust for organizations looking for the highest level of security for their encrypted data and encryption keys.

Take the next step

Get started by reading the data sheet to learn more about Guardium Data Encryption or review your options with a Guardium expert in a free, 30-minute call.

Read the data sheet
More ways to explore Documentation Training Thought leadership Community