Add IBM Key Protect as a keystore in Baffle Manager

This document demonstrates how to add IBM Key Protect as a keystore type in Baffle Manager and explains parameter settings.

The IBM® Key Protect for IBM Cloud® service enables you to provision and store encrypted keys across your IBM Cloud environment. IBM Key Protect provides full encryption visibility and control, allowing you to see and manage data encryption and the entire key lifecycle from a single location.

Prerequisites

Before you can add IBM Key Protect as a keystore in Baffle Manager, you must first do following:

  1. Create IBM Keys Auth – For more information, see the IBM documentation.
  2. Deploy a Kubernetes cluster – For more information, see the IBM documentation.
  3. Create a Key Protect instance – For more information, see the IBM documentation.
  4. Create a Cloud Object Store (COS) – For more information, see the IBM documentation.
  5. Create HMAC keys on the COS – For more information, see the IBM documentation.

Connect to an IBM Keystore 

Before you can enroll your applications, add databases and enable encryption, you must enroll your Keystore so Baffle Manager can access and/or create data encryption keys (DEKs) that will be used to protect your data. 

To enroll an IBM Keystore, do the following:

  1. In the Baffle Manager console, click the key icon in the left navigation bar. The Keystore window appears.If this is the first time you are enrolling a Keystore, the baffle_credential_store will be the only keystore that appears in the list.
    Key_icon.png
  2. Click +Keystore to add an IBM Keystore. The Add Keystore dialog appears.
  3. Enter a Keystore name and select IBM as the Keystore Type.
  4. Enter the KeyProtect Instance (you created in Prerequisites as the Instance ID) and the App Namespace (existing or create a new App Namespace) for the data encryption key.. 
  5. Enter the IBM Key Protect Alias for the master key and IAM API Key you generated in Prerequisites.
  6. Select the IBM Region that corresponds with that of the KeyProtect Instance used for the Instance ID, then select IBM Cloud Object Storage for the DEK Storage Type.
  7. Enter the regional endpoint URL for the IBM Cloud Object Storage URL.This is the region where you store your data encryption keys.
  8. Enter the IBM Secret Key and IBM Access Key ID, which are COS Service Credentials for HMAC keys created in the Prerequisites.
  9. Enter the Cloud Object Storage Bucket Name and click Add Keystore.

    IBMC_IBM-Keystore_Add.png
  10. When completed, click Add Keystore.

    NOTE: The key will not appear in IBM Key Protect until Baffle Shield has been connected and data encryption migration has occurred.

Parameters required in KmsConfig.properties

kmsType

ibmKeyProtect

instanceId

instance Id of keyProtect used for encrypt/decrypt keys

iam_api_key

api keys generated in Prerequisites 

ibm_region

KeyProtect Instance region

app_namespace

app name for encryption of keys

ibm_kms_alias

Either an alias or unique v4 uuid  that uniquely identify the keys


Each alias must be alphanumeric and cannot contain spaces or special characters other than - or _. 


The alias cannot be a UUID and must not be a Key Protect reserved name: allowed_ip, key, keys, metadata, policy, policies, registration, registrations, ring, rings, rotate, wrap, unwrap, rewrap, version, versions.


Alias size can be between 2 - 90 characters (inclusive)

disable_mk_creation

true/false

 

Available IBM region listing

Region

Public endpoints

Dallas

us-south

Washington DC

us-east

London

eu-gb

Frankfurt

eu-de

Sydney

au-syd

Tokyo

jp-tok

Osaka

jp-osa

 

Next Steps:

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.