copyright | lastupdated | keywords | subcollection | ||
---|---|---|---|---|---|
|
2022-09-13 |
monitoring schematics services, monitoring, integration services |
schematics |
{{site.data.keyword.attribute-definition-list}}
{: #kms-integration}
{{site.data.keyword.bpfull}} integrates to fully manage enterprise-grade key management to manage the lifecycle of your encryption keys that are used in your {{site.data.keyword.cloud_notm}} resources, services, and applications. {: shortdesc}
{: #key-mgt-ui}
By default the data that you store in {{site.data.keyword.bpshort}} Workspaces by using the Enterprise plan is encrypted by using randomly generated keys. If you need to control the encryption keys, you can use the {{site.data.keyword.keymanagementservicelong_notm}} to create, import, and manage encryption root keys and standard keys. Then, you can associate those keys with your {{site.data.keyword.bpshort}} resource deployment to encrypt your resources. {: shortdesc}
You can use your encryption keys from key management services (KMS), {{site.data.keyword.keymanagementservicelong_notm}}(BYOK), and {{site.data.keyword.cloud_notm}} {{site.data.keyword.hscrypto}} (KYOK) to encrypt and secure data stored in {{site.data.keyword.bpshort}}. For more information about how to protect sensitive data in {{site.data.keyword.bpshort}}, see protecting your sensitive data in {{site.data.keyword.bpshort}}.
{: #key-prerequisites}
The key management system will list the instance that are created from your specific location and region. Following prerequisites are followed to perform the KMS activity.
- You should have your
KYOK
, orBYOK
. To create the {{site.data.keyword.keymanagementservicelong_notm}} keys, see create KYOK. To create an {{site.data.keyword.cloud_notm}} {{site.data.keyword.hscrypto}} keys, see create BYOK. - You need to add root key to your
KYOK
, orBYOK
instance. - You need to configure service to service authorization to integrate
BYOK
, andKYOK
in {{site.data.keyword.bpshort}} service. Follow these steps to grant service to service authorization {{site.data.keyword.keymanagementserviceshort}} access to {{site.data.keyword.bpshort}} service.-
In the {{site.data.keyword.cloud_notm}} console, click Manage > Access (IAM), and select Authorizations > Create.
-
Select a Source Service as {{site.data.keyword.bpshort}}.
-
Select Target Service as {{site.data.keyword.keymanagementserviceshort}} or {{site.data.keyword.hscrypto}}. Select the instance you want to provide authorization.
-
Select the Role as Reader.
-
Click Authorize.
For more information, see IAM authorization to create by using CLI, and API. {: note}
-
KMS setting is a one time settings. You need to open the support ticket to update KMS settings. {: note}
{: #integrate-byok-ui} {: ui}
Follow these steps to launch key management system and encrypt your keys with {{site.data.keyword.bpshort}}.
-
Log in to your {{site.data.keyword.cloud_notm}}{: external} account by using your credentials.
-
From the {{site.data.keyword.cloud_notm}} page, select Navigation menu > {{site.data.keyword.bpshort}} > Integrations > Connect.
-
Click Connect > Key Management from the drop down.
-
Select Service as {{site.data.keyword.keymanagementserviceshort}}, or {{site.data.keyword.hscrypto}}.
-
Select an Choose existing instance instance. If your instance not created, select an Create a new instance to create {{site.data.keyword.keymanagementservicelong_notm}}, or {{site.data.keyword.cloud_notm}} {{site.data.keyword.hscrypto}}. For more information, see Create a key protect instance.
You can view your instance in the service list, when the prerequisites are met. Or you can see a message No Keys found. {: note}
-
Select your Service and Root key that is configured for BYOK or KYOK.
-
Click Update to complete the integration of your keys with your {{site.data.keyword.bpshort}} resource deployment.
-
Click Launch icon to view your enabled keys in the Resource list.
{: #integrate-byok-cli} {: cli}
Follow the steps to integrate root keys with {{site.data.keyword.bpshort}} to encrypt the data through command-line.
-
List all the KMS instance in your {{site.data.keyword.cloud_notm}} account to find your {{site.data.keyword.keymanagementserviceshort}} or {{site.data.keyword.hscrypto}} instances.
ibmcloud schematics kms instance ls --location LOCATION_NAME --scheme ENCRYPTION_SCHEME
{: pre}
-
Integrate the root key with {{site.data.keyword.bpshort}} to encrypt your data in the specified location.
ibmcloud schematics kms enable --location LOCATION_NAME --scheme ENCRYPTION_SCHEME --group RESOURCE_GROUP --primary_name PRIMARY_KMS_NAME --primary_crn PRIMARY_KEY_CRN --primary_endpoint PRIMARY_KMSPRIVATEENDPOINT --secondary_name SECONDARY_KMS_NAME --secondary_crn SECONDARY_KEY_CRN --secondary_endpoint SECONDARY_KMSPRIVATEENDPOINT
{: pre}
-
Get current root key information.
ibmcloud schematics kms info --location LOCATION_NAME
{: pre}
For more information about enabling the
BYOK
orKYOK
commands, see Enable BYOK or KYOK commands. {: note}