Integrating your data and keys
The data that you store in Db2 when using the Standard or Enterprise plan is encrypted by default by using randomly generated keys. If you need to control the encryption keys, you can use IBM Key Protect or Hyper Protect Crypto Servicesto create, add, and manage encryption keys. Then, you can associate those keys with your Db2 on Cloud deployment to encrypt your Db2 databases.
IBM Key Protect helps you provision encrypted keys for apps across IBM Cloud services. As you manage the lifecycle of your keys, you can benefit from knowing that your keys are secured by FIPS 140-2 Level 3 certified cloud-based hardware security modules (HSMs) that protect against the theft of information.
Hyper Protect Crypto Services is a single-tenant, dedicated HSM that is controlled by you. The service is built on FIPS 140-2 Level 4-certified hardware, the highest offered by any cloud provider in the industry.
To get started, you need to provision a Key Protect instance or a Hyper Protect Crypto Services instance on your IBM Cloud account.
Creating or adding a key in the key management service
To add a key in Key Protect, navigate to your instance of Key Protect and generate or enter a key.
To add a key in Hyper Protect Crypto Services, navigate to your instance of Hyper Protect Crypto Services and generate a key.
Granting service authorization
Authorize Key Protect for use with Db2 on Cloud deployments:
- Open your IBM Cloud dashboard.
- From the menu bar, select Manage > Access (IAM).
- In the side navigation, select Authorizations. Click Create.
- In the Source service menu, select the service of the deployment. For example, Db2.
- In the Source service instance menu, select All service instances.
- In the Target service menu, select Key Protect or Hyper Protect Crypto Services.
- In the Target service instance menu, select the service instance to authorize.
- Enable the
Reader
role. Click Authorize.
Using the key encryption key
After you grant your Db2 on Cloud deployments permission to use your keys, you supply the key name or CRN in Key Protect or Hyper Protect Crypto Services when you provision a deployment. The deployment uses your encryption key to encrypt your data.
If you provision a deployment through the CLI or API, the key needs to be identified by its full CRN, not just its ID. A CRN is in the format crn:v1:<...>:key:<id>
.
Deleting the deployment
If you delete a deployment that is protected with a key, the deployment remains registered against the key for the duration of the soft-deletion period (up to 9 days). If you need to delete the key in the soft-deletion period, you have to force delete the key using Key Protect or Hyper Protect Crypto Services. After the soft-deletion period the key can be deleted without the force. You can check the association between the key and your deployment to determine when you can delete the key.
Cryptoshredding
Cryptoshredding is a destructive action. Once the key is deleted your data is unrecoverable.
Key Protect or Hyper Protect Crypto Services allows you to initiate a force delete of a key that is in use by IBM Cloud® services using Key Protect or Hyper Protect Crypto Services,
including your Db2 on Cloud deployments. This action is called cryptoshredding. Deleting a key that is in use on your deployment locks the disks containing your data and disables your deployment. You are still able to access the UI and some
metadata such as security settings in the UI, CLI, and API but you are not able to access any of the databases or data contained within them. Key deletion is sent to the Log Analysis Activity Tracker as kms.secrets.delete
using
Key Protect and as hs-crypto.secrets.delete
using Hyper Protect Crypto Services.