Integrating IBM Cloud services with Hyper Protect Crypto Services with Data and Storage
IBM Cloud Hyper Protect Crypto Services integrates with data and storage solutions to help you bring and manage your own encryption in the cloud.
After you create an instance of the service and initialize the service instance, you can integrate Hyper Protect Crypto Services with the following supported services.
Integrating with storage services
Add envelope encryption to your storage by using Hyper Protect Crypto Services. Use root keys that you manage in Hyper Protect Crypto Services to protect the data encryption keys that encrypt your data at rest.
| Service | Integration instructions |
|---|---|
| IBM Cloud Object Storage | For detailed steps of how to integrate IBM Cloud Object Storage, check out the following references: |
| IBM Cloud Block Storage for Virtual Private Cloud (Gen 1 compute) | For detailed steps of how to integrate Block Storage for VPC (Gen 1 compute), check out Creating block storage volumes with customer-managed encryption. |
| IBM Cloud Block Storage for Virtual Private Cloud (Gen 2 compute) | For detailed steps of how to integrate Block Storage for VPC (Gen 2 compute), check out Creating block storage volumes with customer-managed encryption. |
Integrating with database services
Associate the encryption keys that you manage in Hyper Protect Crypto Services with your database service instances and leverage envelope encryption to add another layer of protection to your data. With full control over your keys, no one else including IBM Cloud administrators can access your data.
| Service | Integration instructions |
|---|---|
| Hyper Protect DBaaS for PostgreSQL | For detailed steps of how to integrate Hyper Protect DBaaS for PostgreSQL, check out Hyper Protect Crypto Services integration. |
| Hyper Protect DBaaS for MongoDB | For detailed steps of how to integrate Hyper Protect DBaaS for MongoDB, check out Hyper Protect Crypto Services integration. |
Integrating with compute services
Use Hyper Protect Crypto Services to provide secure key management capability for compute services.
| Service | Integration instructions |
|---|---|
| IBM Cloud Virtual Servers for Virtual Private Cloud | Create an encrypted block storage volume when you create a virtual server instance by using Hyper Protect Crypto Services. Use your own root keys that you manage in Hyper Protect Crypto Services to protect the data encryption keys that
encrypt your data at rest. To learn detailed steps of integrating Virtual Servers for VPC, check out Creating virtual server instances with customer-managed encryption. |
| Key Management Interoperability Protocol (KMIP) for VMware on IBM Cloud | Use Hyper Protect Crypto Services to manage encryption keys that are used by VMware solutions on IBM Cloud. To learn more about integrating VMware Solutions, check out the following references: |
| HyTrust DataControl for IBM Cloud | The HyTrust DataControl service integrates with Hyper Protect Crypto Services to protect your data with strong encryption and scalable key management. The service provides encryption at both the operating system level and at the data level
to secure your workloads throughout their lifecycles. To learn more about HyTrust DataControl, check out the following references:
|
Integrating with container services
Use your own root keys managed by Hyper Protect Crypto Services to protect container secrets and enable more granular control over user access.
| Service | Integration instructions |
|---|---|
| IBM Cloud Kubernetes Service | For detailed steps of how to integrate IBM Cloud Kubernetes Service, check out Encrypting the Kubernetes master's local disk and secrets by using a KMS provider. |
| Red Hat OpenShift on IBM Cloud | For detailed steps of how to integrate OpenShift, check out Encrypting the OpenShift master's local disk and secrets by using a KMS provider. |
Understanding your integration
When you integrate a supported service with Hyper Protect Crypto Services, you enable envelope encryption for that service. This integration allows you to use a root key that you store in Hyper Protect Crypto Services to wrap the data encryption keys that encrypt your data at rest.
For example, we can create a root key, manage the key in Hyper Protect Crypto Services, and use the root key to protect the data that is stored across different cloud services.
The following diagram illustrates the scene of integrating Hyper Protect Crypto Services with two services.
Behind the scenes, the Hyper Protect Crypto Services key management API drives the envelope encryption process.
The following table lists the API methods that add or remove envelope encryption on a resource.
| Method | Description |
|---|---|
| POST /keys/{root_key_ID}?action=wrap | Wrap (encrypt) a data encryption key |
| POST /keys/{root_key_ID}?action=unwrap | Unwrap (decrypt) a data encryption key |
To find out more about programmatically managing your keys in Hyper Protect Crypto Services, check out the Hyper Protect Crypto Services key management API reference doc.
What's next
Add advanced encryption to your cloud resources by creating a root key in Hyper Protect Crypto Services. Add a new resource to a supported cloud data service, and then select the root key that you want to use for advanced encryption.
- To find out more about creating root keys with the Hyper Protect Crypto Services service, see Creating root keys.
- To find out more about bringing your own root keys to the Hyper Protect Crypto Services service, see Importing root keys.