IBM Cloud Docs
IBM® Key Protect and encryption keys

IBM® Key Protect and encryption keys

The IBM® Key Protect for IBM Cloud® (IBM Key Protect) service helps you provision and store encrypted keys for applications across IBM Cloud services, so you can see and manage data encryption and the entire key lifecycle from one central location.

With user-managed encryption, you can bring your own custom root key (CRK) to the cloud or have a key management service (KMS) generate a key for you. You use root keys to encrypt resources across regions. You can encrypt resources with a key that is stored in your regional KMS instance, and you can use root keys from another region.

IBM Key Protect instances for your IBM Spectrum LSF cluster

Use an IBM Key Protect instance regardless of whether you have the IBM Spectrum LSF deployment process create one for you or integrate an existing one.

Creating an IBM Key Protect instance and key

Automatically encrypt infrastructure resources through IBM Key Protect for your IBM Spectrum LSF. To enable this feature for your cluster, always keep the key_management deployment input value as key_protect (which is the default). The deployment process creates an IBM Key Protect instance and a specific key to encrypt these resources:

  • IBM® Cloud Block Storage for Virtual Private Cloud (Cloud Block Storage)
  • IBM Cloud® File Storage for VPC
  • IBM Cloud® Object Storage

If the value for key_management is set as null, then the deployment process does not automatically create IBM Key Protect instances or keys and all infrastructure resources are encrypted through provider-managed encryption.

Integrating an existing IBM Key Protect instance and key

If you have an existing IBM Key Protect instance and an encryption key, set the key_management deployment input value as key_protect. Provide the instance name for the kms_instance_name and the encryption name for the kms_key_name deployment input variables. This way, the deployment process uses these values to encrypt all infrastructure resources for your IBM Spectrum LSF cluster.

IAM service-to-service authorization for your IBM Spectrum LSF cluster

Use IBM Cloud® Identity and Access Management (IAM) to create or remove authorization that grants one service access to another service for your IBM Spectrum LSF cluster. This service authorization grants a source service or group of services in any account access to a target service or group of services in an account. You can also use authorization delegation to automatically create access policies that grant access to dependent services.

  1. Enabling service-to-service authorization between the KMS and Cloud Block Storage

You can set the IBM Spectrum LSF cluster deployment process to automatically enable service-to-service authorization between your KMS and Cloud Block Storage service by setting the skip_iam_block_storage_authorization_policy deployment input value as false. This way, the process automatically creates service authorization between Cloud Block Storage and the IBM Key Protect instance ID. This happens when the KMS instance is created through automation.

When you use an existing kms instance, which already has an autorisation that is enabled between Cloud Block Storage and the KMS instance ID, then set the skip_iam_block_storage_authorization_policy deployment input value as true. In this case, the process skips creating a new service authorization. Also, when you use an existing KMS instance ID and if the authorization is not enabled, then keep the value as false (by default) so the solution establishes the authorization.

  1. Enabling service-to-service authorization between the KMS and VPC File Storage service

You can set the IBM Spectrum LSF cluster deployment process to automatically enable service-to-service authorization between your KMS and VPC file storage service by setting the skip_iam_share_authorization_policy deployment input value as false. This way, the process automatically creates service authorization between Cloud Block Storage and the VPC file storage service. This happens when the KMS instance is created through automation.

When you use an existing KMS instance, which already has an autorisation that is enabled between VPC file storage and the KMS instance ID, then set the skip_iam_share_authorization_policy deployment input value as true. In this case, the process skips creating a new service authorization. Also, when you use an existing KMS instance ID and if the authorization is not enabled, then keep the value as false (by default) so the solution establishes the authorization.

If the service authorization exists and you create a new one, you can encounter a message similar to: Error creating authorization policy: The policy wasn't created because an access policy with identical attributes and roles already exists.