Skip to content

kp-encrypt-bucket.md

Latest commit

 

History

History
82 lines (62 loc) · 3.76 KB

kp-encrypt-bucket.md

File metadata and controls

82 lines (62 loc) · 3.76 KB
copyright
years
2022, 2026
lastupdated 2026-04-29
keywords tutorials, key protect, bucket, encryption
subcollection cloud-object-storage
content-type tutorial
services
account-plan lite
completion-time 10m

{{site.data.keyword.attribute-definition-list}}

Encrypting a bucket with Key Protect

{: #tutorial-kp-encrypt-bucket} {: toc-content-type="tutorial"} {: toc-completion-time="10m"}

While all data stored in Cloud Object Storage is automatically encrypted using randomly generated keys, some workloads require that the keys can be rotated, deleted, or otherwise controlled by a key management system (KMS) like Key Protect. {: shortdesc}

Before you begin

{: #kp-encrypt-bucket-prereqs}

Before you plan on using Key Protect with Cloud Object Storage buckets, you need:

As of 1 January 2025, five key versions per account are no longer free. You are charged for each key version, starting with the first created key. {: important}

You will also need to ensure that a service instance is created by using the IBM Cloud catalog and appropriate permissions are granted. This tutorial does not outline the step-by-step instructions to help you get started. This information is found in section Server-Side Encryption with IBM Key Protect (SSE-KP)

{{site.data.keyword.keymanagementserviceshort}} offers two deployment options to meet different security and compliance requirements:

  • Standard (multi-tenant): A cost-effective solution with FIPS 140-2 Level 3 compliance and shared HSM infrastructure. IBM manages the HSM master keys.
  • Dedicated (single-tenant): Enhanced security with FIPS 140-3 Level 4 compliance (submitted for certification), dedicated HSM partitions, and complete workload isolation. You own and manage your own master keys with no IBM administrator access.

For more information about choosing between Standard and Dedicated, see About Standard and Dedicated {{site.data.keyword.keymanagementserviceshort}}.

Create a new encryption key

{: #kp-create-encryption-key} {: step}

  1. Using the Navigation Menu, go to Resource List and expand Security.
  2. Click a Key Protect instance.
  3. Click the Add button.
  4. Click the Root key tab.
  5. Enter a Key name.
  6. Click Advanced Option and enter a Key description.
  7. Click the Add key button. Your new encryption key is listed in the Keys table.

Create a new bucket and associate the key with it

{: #kp-encrypt-bucket-create} {: step}

  1. Using the Navigation Menu, go to Resource List and expand Storage.
  2. Click your Storage instance.
  3. Click Create bucket.
  4. Click Create in the Create a Custom Bucket pane.
  5. Enter a unique bucket name.
  6. Select Resiliency>Regional.
  7. Select a Location.
  8. Select a Storage Class.
  9. Enable Service integrations>Encryption>Key management.
  10. Click Key Protect>Use existing instance.
  11. Select the Search by instance tab in the Key Protect integration side panel.
  12. Select a Key Protect instance from the menu.
  13. Select the Key name that you just created.
  14. Click the Associate key button.
  15. Click the Create bucket button. A popup message displays that a bucket was created successfully.
  16. Confirm by clicking the Configuration tab.
  17. Click Jump to>Key management (or scroll down the page).
  18. In the Associated key management services box see Service instance and the Key that was associated with the bucket.