Set up IBM Key Protect

This guide shows you how to set up IBM Key Protect so that it can be added as a keystore in Baffle Manager. The walkthrough procedure is followed by a reference for the necessary parameter settings.

Key Protect uses root keys managed by IBM via an impenetrable HSM to encrypt the data encryption keys (DEKs) that encrypt your plaintext data. This type of system, also known as "envelope encryption," necessitates "unwrapping" or opening the data envelope before using the encrypted DEK to decrypt the data.

Configure IBM Key Protect

Complete the following steps to configure IBM Key Protect. Once this process is finished, Baffle Manager will allow you to add IBM Key Protect as a keystore.

To configure IBM Key Protect, do the following:

  1. Get an IBM KeyProtect Instance ID in one of the following ways:
    • Using the IBM CLI – enter the following command in a shell window:
      ibmcloud resource service-instance 'Key Protect-Baffle-1'
    • Using the IBM Cloud web console – navigate to `Services and Software` and select the Key Protect instance. The GUID is displayed in the sidebar, and  is what you use for the instanceID.
  2. Create and retrieve API Key, in the following way: 
    • Open a  web browser and navigate to:
    • Select Create an IBM Cloud API Key and name the key.
    • Copy or download the key after it’s created.
  3. Create Cloud Object Storage in the resource group.
  4. Create a Bucket in the COS instance, for example: bm-ibm-bucket
  5. Generate Service Credentials for the COS Bucket.
  6. In Object Storage, click on Service Credentials in the side panel. Then click New Credential.
  7. Enable HMAC and click Add. 
  8. Continue with adding IBM Key Protect as a keystore in Baffle Manager.

NOTE: The cos_hmac_keys give you the AWS S3 access_key_id and secret_access_key.


Add IBM Key Protect as a keystore in Baffle Manager

Complete the following steps to complete the process for using IBM Key Protect as a keystore in Baffle Manager.

To add IBM Key Protect as a keystore, do the following:

  1. In the Baffle Manager console, click the key icon in the left navigation bar. The Keystore window appears. NOTE: If this is the first time you are enrolling a keystore, the baffle_credential_store will be the only keystore that appears in the list.
  2. Click +Keystore. The Add Keystore dialog appears.
  3. Enter a keystore Name and select IBM Key Protect in the Keystore Type drop-down menu.
  4. Enter the Instance ID (from step 1 of configuring IBM Key Protect) for the KeyProtect Instance.
  5. For App Namespace, enter a string to identify the DEKs created for the application.
  6. For IBM Key Protect Alias, enter a unique string value.
  7. For the IAM API Key, use the key you created in step 2 of configuring IBM Key Protect.
  8. For IBM region, specify the region for the IBM Key Protect instance. See Available IBM region listing for more information.
  9. For the IBM Cloud Object Storage URL, specify the IBM endpoint URL for COS, for example:
  10. Enter the cos_hmac_keys from step 7 (from configuring IBM Key Protect) for the Access Key ID and Secret Key.
  11. When completed, click Add Keystore.


NOTE: The key will not appear in IBM Key Protect until Baffle Shield has been connected and data encryption migration has occurred.

Available IBM region listing

Regional Endpoints


Public endpoints



Washington DC














São Paulo



Cross Region Endpoints


Public endpoints

North America




Asia Pacific



More information

For more information on the following topics, see the related IBM documentation.



Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.