| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2024-10-09 |
integration, encryption at rest, cloud object storage, object storage, kmip, containers, vmware, database, compute |
hs-crypto |
{{site.data.keyword.attribute-definition-list}}
{: #integrate-services}
You can integrate {{site.data.keyword.cloud_notm}} services with {{site.data.keyword.cloud}} {{site.data.keyword.hscrypto}} to build solutions for you to bring and manage your own encryption in the cloud. {: shortdesc}
After you create an instance of the service and initialize the service instance, you need to establish service-to-service authorizations to allow one service to access another one through either single-account authorization or cross-account authorization. For detailed instructions on how to establish authorizations, see Creating an authorization in the UI. Make sure that you follow the process and select {{site.data.keyword.hscrypto}} as the target service.
Refer to the following integration instructions to integrate {{site.data.keyword.hscrypto}} with each supported service.
{: #storage-integration}
The data that you store in {{site.data.keyword.cloud_notm}} storage services is encrypted by default by using randomly generated keys. If you want to control the encryption keys and use your own keys to encrypt your storage, you can associate root keys that you manage in {{site.data.keyword.hscrypto}} to your storage service and leverage envelope encryption to add another layer of protection to your data. As root keys are encrypted by the master key that is owned by the user, no one else including {{site.data.keyword.cloud_notm}} administrators can access your data.
| Service | Description | Integration instruction |
|---|---|---|
| {{site.data.keyword.cos_full_notm}}{: external} | {{site.data.keyword.cos_full_notm}} is a highly available, durable, and secure platform for storing unstructured data. Object storage is the most efficient way to store PDFs, media files, database backups, disk images, or even large structured datasets. |
|
| {{site.data.keyword.block_storage_is_full}}{: external} | {{site.data.keyword.block_storage_is_short}} provides hypervisor-mounted, high-performance data storage for your virtual server instances that you can provision within your VPC. | Creating block storage volumes with customer-managed encryption{: external} |
| {{site.data.keyword.filestorage_vpc_full}}{: external} | {{site.data.keyword.filestorage_vpc_full}} is a zonal file storage offering that provides NFS-based file storage services. | Creating file shares with customer-managed encryption{: external} |
| {: caption="Supported storage services" caption-side="bottom"} |
{: #database-integration}
The data that you store in {{site.data.keyword.cloud_notm}} database services is encrypted by default by using randomly generated keys. If you want to control the encryption keys and use your own keys to encrypt your databases, you can associate root keys that you manage in {{site.data.keyword.hscrypto}} to your database service and leverages envelope encryption to add another layer of protection to your data. As root keys are encrypted by the master key that is owned by the user, no one else including {{site.data.keyword.cloud_notm}} administrators can access your data.
| Service | Description | Integration instruction |
|---|---|---|
| {{site.data.keyword.cloud_notm}} {{site.data.keyword.databases-for-elasticsearch}}{: external} | {{site.data.keyword.cloud_notm}} {{site.data.keyword.databases-for-elasticsearch}} is an enterprise-ready and fully managed Elasticsearch service that is built with native integration into {{site.data.keyword.cloud_notm}}. | {{site.data.keyword.hscrypto}} integration{: external} |
| {{site.data.keyword.cloud_notm}} {{site.data.keyword.databases-for-enterprisedb}}{: external} | {{site.data.keyword.cloud_notm}} {{site.data.keyword.databases-for-enterprisedb}} is a database engine that optimizes the built-in features of PostgreSQL. You can gain greater scalability, security, and reliability along with enhancements that improve database administrator and developer productivity. | {{site.data.keyword.hscrypto}} integration{: external} |
| {{site.data.keyword.cloud_notm}} {{site.data.keyword.databases-for-etcd}}{: external} | {{site.data.keyword.cloud_notm}} {{site.data.keyword.databases-for-etcd}} is an enterprise-ready and fully managed etcd service that is built with native integration into the {{site.data.keyword.cloud_notm}}. | {{site.data.keyword.hscrypto}} integration{: external} |
| {{site.data.keyword.cloud_notm}} {{site.data.keyword.databases-for-mongodb}}{: external} | {{site.data.keyword.cloud_notm}} {{site.data.keyword.databases-for-mongodb}} is an enterprise-ready and fully managed MongoDB service that is built with native integration into the {{site.data.keyword.cloud_notm}}. | {{site.data.keyword.hscrypto}} integration{: external} |
| {{site.data.keyword.cloud_notm}} {{site.data.keyword.databases-for-postgresql}}{: external} | {{site.data.keyword.cloud_notm}} {{site.data.keyword.databases-for-postgresql}} is an enterprise-ready and fully managed PostgreSQL service that is built with native integration into the {{site.data.keyword.cloud_notm}}. | {{site.data.keyword.hscrypto}} integration{: external} |
| {{site.data.keyword.cloud_notm}} {{site.data.keyword.databases-for-redis}}{: external} | {{site.data.keyword.cloud_notm}} {{site.data.keyword.databases-for-redis}} is an open source, in-memory key value store designed for the modern application stack. With {{site.data.keyword.databases-for-redis}}, you can use counters, queues, lists, and HyperLogLogs to handle complex data issues simply. | {{site.data.keyword.hscrypto}} integration{: external} |
| {{site.data.keyword.cloud_notm}} {{site.data.keyword.messages-for-rabbitmq}}{: external} | {{site.data.keyword.cloud_notm}} {{site.data.keyword.messages-for-rabbitmq}} is an enterprise-ready and fully managed RabbitMQ service with native integration into the {{site.data.keyword.cloud_notm}}. It supports multiple messaging protocols as a broker. | {{site.data.keyword.hscrypto}} integration{: external} |
| {{site.data.keyword.Db2_on_Cloud_long_notm}}{: external} | {{site.data.keyword.Db2_on_Cloud_long_notm}} is an SQL database that is provisioned for you in the cloud. You can use {{site.data.keyword.Db2_on_Cloud_short}} just as you use any database software, but without the time and expense of hardware setup or software installation and maintenance. | {{site.data.keyword.hscrypto}} integration{: external} |
| {: caption="Supported database services" caption-side="bottom"} |
{: #compute-integration}
Use {{site.data.keyword.hscrypto}} to bring your own keys to compute services.
| Service | Description | Integration instruction |
|---|---|---|
| {{site.data.keyword.cloud_notm}} image templates{: external} | You can use {{site.data.keyword.cloud_notm}} image templates to capture an image of a virtual server to quickly replicate its configuration with minimal changes in the order process. With the End to End (E2E) Encryption feature, you can bring your own encrypted, cloud-init enabled operating system image. | Using End to End Encryption to provision an encrypted instance{: external} |
| {{site.data.keyword.cloud_notm}} {{site.data.keyword.BluVirtServers_short}} for Virtual Private Cloud (VPC){: external} | {{site.data.keyword.BluVirtServers_short}} for VPC is an Infrastructure-as-a-Service (IaaS) offering that gives you access to all of the benefits of {{site.data.keyword.vpc_short}}, including network isolation, security, and flexibility. By integrating with {{site.data.keyword.hscrypto}}, you can create an encrypted block storage volume when you create a virtual server instance and use your own root keys to protect the data encryption keys that encrypt your data at rest. | Creating virtual server instances with customer-managed encryption volumes{: external} |
| Key Management Interoperability Protocol (KMIP) for VMware® on {{site.data.keyword.cloud_notm}}{: external} | KMIP for VMware® works together with VMware native vSphere encryption and vSAN encryption to provide simplified storage encryption management. By integrating with {{site.data.keyword.hscrypto}}, you can use {{site.data.keyword.hscrypto}} to manage encryption keys that are used by VMware® solutions on {{site.data.keyword.cloud_notm}}. |
|
| Entrust DataControl for {{site.data.keyword.cloud_notm}}{: external} - formerly known as HyTrust CloudControl | The Entrust DataControl service integrates with {{site.data.keyword.hscrypto}} to protect your data with strong encryption and scalable key management. The service provides encryption at both the operating system level and at the data level to secure your workloads throughout their lifecycles. |
|
| {{site.data.keyword.powerSys_notm}}{: external} | {{site.data.keyword.powerSys_notm}} is a Power Systems offering. You can use {{site.data.keyword.powerSys_notm}} to integrate with {{site.data.keyword.hscrypto}} to securely store and protect encryption key information for AIX and Linux. | Integrating {{site.data.keyword.powerSys_notm}} with {{site.data.keyword.hscrypto}}{: external} |
| {: caption="Supported compute services" caption-side="bottom"} |
{: #container-integration}
By integrating with {{site.data.keyword.hscrypto}}, you can encrypt the Kubernetes secrets and etcd component of your Kubernetes master with your own root keys that are managed in {{site.data.keyword.hscrypto}}.
| Service | Description | Integration instruction |
|---|---|---|
| {{site.data.keyword.containerlong_notm}}{: external} | {{site.data.keyword.containerlong_notm}} is a managed offering that is built for creating a Kubernetes cluster of compute hosts to deploy and manage containerized applications on {{site.data.keyword.cloud_notm}}. | Encrypting the Kubernetes master's local disk and secrets by using a KMS provider{: external} |
| {{site.data.keyword.openshiftlong_notm}}{: external} | {{site.data.keyword.openshiftlong_notm}} is a managed offering to create your own {{site.data.keyword.openshiftshort}} cluster of compute hosts to deploy and manage containerized apps on {{site.data.keyword.cloud_notm}}. In addition to using {{site.data.keyword.hscrypto}} to protect the Kubernetes secrets, you can also deploy the {{site.data.keyword.hscrypto}} Router, which uses the GREP11 OpenSSL Engine to access private keys that are stored in your {{site.data.keyword.hscrypto}} instance to encrypt routes. |
|
| {: caption="Supported container services" caption-side="bottom"} |
{: #Ingestion-integrations}
You can integrate {{site.data.keyword.hscrypto}} with the following ingestion services.
| Service | Description | Integration instruction |
|---|---|---|
| {{site.data.keyword.mon_full_notm}}{: external} | {{site.data.keyword.mon_full_notm}} is a cloud-native, and container-intelligence management system. You can use it to gain operational visibility into the performance and health of your {{site.data.keyword.hscrypto}} instance. | Getting started tutorial{: external} |
| {{site.data.keyword.bpfull_notm}}{: external} | {{site.data.keyword.bpfull_notm}} provides powerful tools to automate your cloud infrastructure provisioning and management process, the configuration and operation of your cloud resources, and the deployment of your application workloads. All data, user inputs, and the data that is generated at runtime during execution of automation code, are stored in {{site.data.keyword.cos_full_notm}}. This data is encrypted by default by using encryption keys from Schematics. If you need to control the encryption keys, you can integrate with your {{site.data.keyword.hscrypto}} instance to use your own root keys. | Enabling customer-managed keys for Schematics{: external} |
| {{site.data.keyword.messagehub}}{: external} | The {{site.data.keyword.messagehub}} service is a high-throughput message bus that is built with Apache Kafka. You can use it for event ingestion into {{site.data.keyword.cloud_notm}} and event stream distribution between your services and applications. By default, message payload data in {{site.data.keyword.messagehub}} is encrypted at rest by using a randomly generated key. If you need to control the encryption keys, you can integrate with your {{site.data.keyword.hscrypto}} instance to use your own root keys. | Enabling a customer-managed key for Event Streams{: external} |
| {: caption="Supported ingestion services." caption-side="bottom"} |
{: #security-service-integrations}
You can integrate {{site.data.keyword.hscrypto}} with the following security-related services. By default, the data that you store in these services is encrypted at rest by using an IBM-managed key. You can add a higher level of encryption control to your data at rest by enabling integration with {{site.data.keyword.hscrypto}} to use your own root keys.
| Service | Description | Integration instruction |
|---|---|---|
| {{site.data.keyword.appid_short_notm}}{: external} | {{site.data.keyword.appid_short_notm}} stores and encrypts user profile attributes. As a multi-tenant service, every tenant has a designated encryption key and user data in each tenant is encrypted with only that tenant's key. | Enabling customer-managed keys for {{site.data.keyword.appid_short_notm}} by using {{site.data.keyword.hscrypto}}{: external} |
| {{site.data.keyword.secrets-manager_short}}{: external} | With {{site.data.keyword.secrets-manager_short}}, you can centrally manage your secrets in a single-tenant, dedicated instance. | Protecting your sensitive data in {{site.data.keyword.secrets-manager_short}}{: external} |
| {{site.data.keyword.compliance_short}}{: external} | With {{site.data.keyword.compliance_short}}, you can govern cloud resource configurations and centrally manage your compliance with organization and regulatory guidelines. When you work with the {{site.data.keyword.compliance_short}}, data is generated by the service as you interact with it. | Protecting your sensitive data in {{site.data.keyword.compliance_short}}{: external} |
| {: caption="Supported security services." caption-side="bottom"} |
{: #devtools-integrations}
You can integrate {{site.data.keyword.hscrypto}} with the following developer tools services.
| Service | Description | Integration instruction |
|---|---|---|
| {{site.data.keyword.contdelivery_full}}{: external} | The {{site.data.keyword.contdelivery_short}} service provides a suite of tools that support DevOps best practices. You can use the service to manage toolchains, operate delivery pipelines, gain insights into code quality and vulnerabilities, integrate third-party tools, and more. | |
| {: caption="Supported developer tools services." caption-side="bottom"} |
{: #understand-integration}
When you integrate a supported service with {{site.data.keyword.hscrypto}}, you enable envelope encryption for that service. With this integration, you can use a root key that you store in {{site.data.keyword.hscrypto}} to wrap the data encryption keys that encrypt your data at rest.
For example, you can create a root key, manage the key in {{site.data.keyword.hscrypto}}, and use the root key to protect the data that is stored across different cloud services.
The following diagram illustrates the scene of integrating {{site.data.keyword.hscrypto}} with two services.
{: caption="Integrating {{site.data.keyword.hscrypto}}" caption-side="bottom"}
Behind the scenes, the {{site.data.keyword.hscrypto}} key management service API drives the envelope encryption process.
The following table lists the API methods that add or remove envelope encryption on a resource.
| Method | Description |
|---|---|
POST /keys/{root_key_ID}?action=wrap |
Wrap (encrypt) a data encryption key.{: external} |
POST /keys/{root_key_ID}?action=unwrap |
Unwrap (decrypt) a data encryption key.{: external} |
| {: caption="Describes the {{site.data.keyword.hscrypto}} key management service API methods" caption-side="bottom"} |
To find out more about programmatically managing your keys in {{site.data.keyword.hscrypto}}, check out the {{site.data.keyword.hscrypto}} key management service API reference doc{: external}. {: tip}
{: #integration-next-steps}
Add advanced encryption to your cloud resources by creating a root key in {{site.data.keyword.hscrypto}}. Add a resource to a supported cloud data service, and then select the root key that you want to use for advanced encryption.
- To find out more about creating root keys with the {{site.data.keyword.hscrypto}} service, see Creating root keys.
- To find out more about bringing your own root keys to the {{site.data.keyword.hscrypto}} service, see Importing root keys.