Configure IBM Key Protect and add it as a keystore

This document demonstrates how to configure IBM Key Protect and add it as a keystore in Baffle Manager. A reference for the necessary parameter settings is provided following the walkthrough procedure..

The IBM® Key Protect for IBM Cloud® service enables you to provision and store encrypted keys across your IBM Cloud environment. IBM Key Protect provides full encryption visibility and control, allowing you to see and manage data encryption and the entire key lifecycle from a single location.

Configure IBM Key Protect

Complete the following steps to configure IBM Key Protect. After completing this procedure, you can add IBM Key Protect as a keystore in Baffle Manager.

To configure IBM Key Protect, do the following:

  1. Get an IBM Instance ID in one of the following ways:
    • Using the IBM CLI – enter the following command in a shell window:
      ibmcloud resource service-instance 'Key Protect-Baffle-1'
    • Using the IBM Cloud web console – navigate to Services and software and select the Key Protect instance. The GUID is displayed in the sidebar, and  is what you use for the instanceID.
  2. Create and retrieve API Key, in the following way: 
    • Open a  web browser and navigate to: https://cloud.ibm.com/iam/apikeys.
    • Select Create an IBM Cloud API Key and name the key.
    • Copy or download the key after it’s created.
  3. Create Cloud Object Storage in the resource group.
  4. Create a Bucket in the COS instance, for example: bm-ibm-bucket
  5. Generate Service Credentials for the COS Bucket.
  6. In Object Storage, click on Service Credentials in the side panel. Then click New Credential.
  7. Enable HMAC and click Add. NOTE: The cos_hmac_keys give you the AWS S3 access_key_id and secret_access_key.
  8. Continue with adding IBM Key Protect as a keystore in Baffle Manager.

Add IBM Key Protect as a keystore in Baffle Manager

Complete the following steps to complete the process for using IBM Key Protect as a keystore in Baffle Manager.

To add IBM Key Protect as a keystore, do the following:

  1. In the Baffle Manager console, click the key icon in the left navigation bar. The Keystore window appears. NOTE: If this is the first time you are enrolling a Keystore, the baffle_credential_store will be the only keystore that appears in the list.
  2. Click +Keystore. The Add Keystore dialog appears.
  3. Enter a keystore Name and select IBM Key Protect in the Keystore Type drop-down menu.
  4. Enter the Instance ID (from step 1 of configuring IBM Key Protect) for the KeyProtect Instance.
  5. For App Namespace, enter a string to identify the application.
  6. For IBM Key Protect Alias, enter a unique string value.
  7. For the IAM API Key, use the key you created in step 2 of configuring IBM Key Protect.
  8. For IBM region, specify the region for the IBM Key Protect instance. See Available IBM region listing for more information.
  9. For the IBM Cloud Object Storage URL, specify the IBM endpoint URL for COS, for example: https://s3.us-south.cloud-object-storage.appdomain.cloud
  10. Enter the cos_hmac_keys from step 7 (from configuring IBM Key Protect) for the Access Key ID and Secret Key.
  11. When completed, click Add Keystore.

    NOTE: The key will not appear in IBM Key Protect until Baffle Shield has been connected and data encryption migration has occurred.

Parameters required in KmsConfig.properties

kmsType

ibmKeyProtect

instanceId

instance Id of keyProtect used for encrypt/decrypt keys

iam_api_key

api keys generated in Prerequisites 

ibm_region

KeyProtect Instance region

app_namespace

app name for encryption of keys

ibm_kms_alias

Either an alias or unique v4 uuid  that uniquely identify the keys


Each alias must be alphanumeric and cannot contain spaces or special characters other than - or _. 


The alias cannot be a UUID and must not be a Key Protect reserved name: allowed_ip, key, keys, metadata, policy, policies, registration, registrations, ring, rings, rotate, wrap, unwrap, rewrap, version, versions.


Alias size can be between 2 - 90 characters (inclusive)

disable_mk_creation

true/false

 

Available IBM region listing

Region

Public endpoints

Dallas

us-south

Washington DC

us-east

London

eu-gb

Frankfurt

eu-de

Sydney

au-syd

Tokyo

jp-tok

Osaka

jp-osa

 

For more information

For more information on the following topics, see the related IBM documentation.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.