Integrating IBM Cloud services with Hyper Protect Crypto Services
You can integrate IBM Cloud services with IBM Cloud® Hyper Protect Crypto Services to build solutions for you to bring and manage your own encryption in the cloud.
After you create an instance of the service and initialize the service instance, you need to establish service-to-service authorizations to allow one service to access another one through either single-account authorization or cross-account authorization. For detailed instructions on how to establish authorizations, see Creating an authorization in the UI. Make sure that you follow the process and select Hyper Protect Crypto Services as the target service.
Refer to the following integration instructions to integrate Hyper Protect Crypto Services with each supported service.
Storage service integrations
The data that you store in IBM Cloud storage services is encrypted by default by using randomly generated keys. If you want to control the encryption keys and use your own keys to encrypt your storage, you can associate root keys that you manage in Hyper Protect Crypto Services to your storage service and leverage envelope encryption to add another layer of protection to your data. As root keys are encrypted by the master key that is owned by the user, no one else including IBM Cloud administrators can access your data.
| Service | Description | Integration instruction |
|---|---|---|
| IBM Cloud Object Storage | IBM Cloud Object Storage is a highly available, durable, and secure platform for storing unstructured data. Object storage is the most efficient way to store PDFs, media files, database backups, disk images, or even large structured datasets. | |
| IBM® Cloud Block Storage for Virtual Private Cloud | Block Storage for VPC provides hypervisor-mounted, high-performance data storage for your virtual server instances that you can provision within your VPC. | Creating block storage volumes with customer-managed encryption |
| IBM Cloud® File Storage for VPC | IBM Cloud® File Storage for VPC is a zonal file storage offering that provides NFS-based file storage services. | Creating file shares with customer-managed encryption |
Database service integrations
The data that you store in IBM Cloud database services is encrypted by default by using randomly generated keys. If you want to control the encryption keys and use your own keys to encrypt your databases, you can associate root keys that you manage in Hyper Protect Crypto Services to your database service and leverages envelope encryption to add another layer of protection to your data. As root keys are encrypted by the master key that is owned by the user, no one else including IBM Cloud administrators can access your data.
| Service | Description | Integration instruction |
|---|---|---|
| IBM Cloud Databases for Elasticsearch | IBM Cloud Databases for Elasticsearch is an enterprise-ready and fully managed Elasticsearch service that is built with native integration into IBM Cloud. | Hyper Protect Crypto Services integration |
| IBM Cloud Databases for EnterpriseDB | IBM Cloud Databases for EnterpriseDB is a database engine that optimizes the built-in features of PostgreSQL. You can gain greater scalability, security, and reliability along with enhancements that improve database administrator and developer productivity. | Hyper Protect Crypto Services integration |
| IBM Cloud Databases for etcd | IBM Cloud Databases for etcd is an enterprise-ready and fully managed etcd service that is built with native integration into the IBM Cloud. | Hyper Protect Crypto Services integration |
| IBM Cloud Databases for MongoDB | IBM Cloud Databases for MongoDB is an enterprise-ready and fully managed MongoDB service that is built with native integration into the IBM Cloud. | Hyper Protect Crypto Services integration |
| IBM Cloud Databases for PostgreSQL | IBM Cloud Databases for PostgreSQL is an enterprise-ready and fully managed PostgreSQL service that is built with native integration into the IBM Cloud. | Hyper Protect Crypto Services integration |
| IBM Cloud Databases for Redis | IBM Cloud Databases for Redis is an open source, in-memory key value store designed for the modern application stack. With Databases for Redis, you can use counters, queues, lists, and HyperLogLogs to handle complex data issues simply. | Hyper Protect Crypto Services integration |
| IBM Cloud Messages for RabbitMQ | IBM Cloud Messages for RabbitMQ is an enterprise-ready and fully managed RabbitMQ service with native integration into the IBM Cloud. It supports multiple messaging protocols as a broker. | Hyper Protect Crypto Services integration |
| IBM Db2 on Cloud | IBM Db2 on Cloud is an SQL database that is provisioned for you in the cloud. You can use Db2 on Cloud just as you use any database software, but without the time and expense of hardware setup or software installation and maintenance. | Hyper Protect Crypto Services integration |
Compute service integrations
Use Hyper Protect Crypto Services to bring your own keys to compute services.
| Service | Description | Integration instruction |
|---|---|---|
| IBM Cloud image templates | You can use IBM Cloud image templates to capture an image of a virtual server to quickly replicate its configuration with minimal changes in the order process. With the End to End (E2E) Encryption feature, you can bring your own encrypted, cloud-init enabled operating system image. | Using End to End Encryption to provision an encrypted instance |
| IBM Cloud Virtual Servers for Virtual Private Cloud (VPC) | Virtual Servers for VPC is an Infrastructure-as-a-Service (IaaS) offering that gives you access to all of the benefits of IBM Cloud VPC, including network isolation, security, and flexibility. By integrating with Hyper Protect Crypto Services, you can create an encrypted block storage volume when you create a virtual server instance and use your own root keys to protect the data encryption keys that encrypt your data at rest. | Creating virtual server instances with customer-managed encryption volumes |
| Key Management Interoperability Protocol (KMIP) for VMware® on IBM Cloud | KMIP for VMware® works together with VMware native vSphere encryption and vSAN encryption to provide simplified storage encryption management. By integrating with Hyper Protect Crypto Services, you can use Hyper Protect Crypto Services to manage encryption keys that are used by VMware® solutions on IBM Cloud. |
|
| Entrust DataControl for IBM Cloud - formerly known as HyTrust CloudControl | The Entrust DataControl service integrates with Hyper Protect Crypto Services to protect your data with strong encryption and scalable key management. The service provides encryption at both the operating system level and at the data level to secure your workloads throughout their lifecycles. |
|
| Power Virtual Server | Power Virtual Server is a Power Systems offering. You can use Power Virtual Server to integrate with Hyper Protect Crypto Services to securely store and protect encryption key information for AIX and Linux. | Integrating Power Virtual Server with Hyper Protect Crypto Services |
Container service integrations
By integrating with Hyper Protect Crypto Services, you can encrypt the Kubernetes secrets and etcd component of your Kubernetes master with your own root keys that are managed in Hyper Protect Crypto Services.
| Service | Description | Integration instruction |
|---|---|---|
| IBM Cloud Kubernetes Service | IBM Cloud Kubernetes Service is a managed offering that is built for creating a Kubernetes cluster of compute hosts to deploy and manage containerized applications on IBM Cloud. | Encrypting the Kubernetes master's local disk and secrets by using a KMS provider |
| Red Hat OpenShift on IBM Cloud | Red Hat OpenShift on IBM Cloud is a managed offering to create your own Red Hat OpenShift on IBM Cloud cluster of compute hosts to deploy and manage containerized apps on IBM Cloud. In addition to using Hyper Protect Crypto Services to
protect the Kubernetes secrets, you can also deploy the Hyper Protect Crypto Services Router, which uses the GREP11 OpenSSL Engine to access private keys that are stored in your Hyper Protect Crypto Services instance to
encrypt routes. |
Ingestion service integrations
You can integrate Hyper Protect Crypto Services with the following ingestion services.
| Service | Description | Integration instruction |
|---|---|---|
| IBM Cloud Monitoring | IBM Cloud Monitoring is a cloud-native, and container-intelligence management system. You can use it to gain operational visibility into the performance and health of your Hyper Protect Crypto Services instance. | Getting started tutorial |
| IBM Cloud Schematics | IBM Cloud Schematics provides powerful tools to automate your cloud infrastructure provisioning and management process, the configuration and operation of your cloud resources, and the deployment of your application workloads. All data, user inputs, and the data that is generated at runtime during execution of automation code, are stored in IBM Cloud Object Storage. This data is encrypted by default by using encryption keys from Schematics. If you need to control the encryption keys, you can integrate with your Hyper Protect Crypto Services instance to use your own root keys. | Enabling customer-managed keys for Schematics |
| Event Streams | The Event Streams service is a high-throughput message bus that is built with Apache Kafka. You can use it for event ingestion into IBM Cloud and event stream distribution between your services and applications. By default, message payload data in Event Streams is encrypted at rest by using a randomly generated key. If you need to control the encryption keys, you can integrate with your Hyper Protect Crypto Services instance to use your own root keys. | Enabling a customer-managed key for Event Streams |
Security service integrations
You can integrate Hyper Protect Crypto Services with the following security-related services. By default, the data that you store in these services is encrypted at rest by using an IBM-managed key. You can add a higher level of encryption control to your data at rest by enabling integration with Hyper Protect Crypto Services to use your own root keys.
| Service | Description | Integration instruction |
|---|---|---|
| App ID | App ID stores and encrypts user profile attributes. As a multi-tenant service, every tenant has a designated encryption key and user data in each tenant is encrypted with only that tenant's key. | Enabling customer-managed keys for App ID by using Hyper Protect Crypto Services |
| Secrets Manager | With Secrets Manager, you can centrally manage your secrets in a single-tenant, dedicated instance. | Protecting your sensitive data in Secrets Manager |
| Security and Compliance Center | With Security and Compliance Center, you can govern cloud resource configurations and centrally manage your compliance with organization and regulatory guidelines. When you work with the Security and Compliance Center, data is generated by the service as you interact with it. | Protecting your sensitive data in Security and Compliance Center |
Developer tools service integrations
You can integrate Hyper Protect Crypto Services with the following developer tools services.
| Service | Description | Integration instruction |
|---|---|---|
| IBM Cloud® Continuous Delivery | The Continuous Delivery service provides a suite of tools that support DevOps best practices. You can use the service to manage toolchains, operate delivery pipelines, gain insights into code quality and vulnerabilities, integrate third-party tools, and more. |
Understanding your integration
When you integrate a supported service with Hyper Protect Crypto Services, you enable envelope encryption for that service. With this integration, you can use a root key that you store in Hyper Protect Crypto Services to wrap the data encryption keys that encrypt your data at rest.
For example, you can create a root key, manage the key in Hyper Protect Crypto Services, and use the root key to protect the data that is stored across different cloud services.
The following diagram illustrates the scene of integrating Hyper Protect Crypto Services with two services.
Behind the scenes, the Hyper Protect Crypto Services key management service API drives the envelope encryption process.
The following table lists the API methods that add or remove envelope encryption on a resource.
| Method | Description |
|---|---|
POST /keys/{root_key_ID}?action=wrap |
Wrap (encrypt) a data encryption key. |
POST /keys/{root_key_ID}?action=unwrap |
Unwrap (decrypt) a data encryption key. |
To find out more about programmatically managing your keys in Hyper Protect Crypto Services, check out the Hyper Protect Crypto Services key management service API reference doc.
What's next
Add advanced encryption to your cloud resources by creating a root key in Hyper Protect Crypto Services. Add a resource to a supported cloud data service, and then select the root key that you want to use for advanced encryption.
- To find out more about creating root keys with the Hyper Protect Crypto Services service, see Creating root keys.
- To find out more about bringing your own root keys to the Hyper Protect Crypto Services service, see Importing root keys.