| copyright | lastupdated | keywords | subcollection | content-type | ||
|---|---|---|---|---|---|---|
|
2024-05-06 |
faq, frequently asked questions, object storage, rclone, encryption, Cyberduck, key protect, FedRAMP, AES, SHA |
cloud-object-storage |
faq |
{{site.data.keyword.attribute-definition-list}}
{: #faq-encryption}
Frequently asked questions can produce helpful answers and insight into best practices for working with {{site.data.keyword.cos_full}}. {: shortdesc}
{: #faq-authenticate} {: faq}
You can use an OAuth 2 token or an HMAC key for authentication. The HMAC key can be used for S3-compatible tools such as rclone, Cyberduck, and others.
- For instructions to obtain an OAuth token, see Generating an IBM Cloud IAM token by using an API key.
- For instructions to obtain the HMAC credentials, see Using HMAC Credentials.
Also, see API Key vs HMAC.
{: #faq-encrypt-basics} {: faq}
Yes. Data at rest is encrypted with automatic provider-side Advanced Encryption Standard (AES) 256-bit encryption and the Secure Hash Algorithm (SHA)-256 hash. Data in motion is secured by using the built-in carrier grade Transport Layer Security/Secure Sockets Layer (TLS/SSL) or SNMPv3 with AES encryption.
If you want more control over encryption, you can make use of IBM Key Protect to manage generated or "bring your own" keying. For details, see Key-protect COS Integration.
{: #faq-encrypt-add} {: faq}
Server-side encryption is always on for customer data. Compared to the hashing required in S3 authentication and the erasure coding, encryption is not a significant part of the processing cost of {{site.data.keyword.cos_short}}.
{: #faq-encrypt-all} {: faq}
Yes, {{site.data.keyword.cos_short}} encrypts all data.
{: #troubleshooting-cos-encryption} {: faq}
- Go to the {{site.data.keyword.cos_full_notm}} documentation for managing encryption to research the encryption topic.
- Choose between {{site.data.keyword.keymanagementservicefull}} and {{site.data.keyword.hscrypto}} for your encryption needs.
- Remember that customer-provided keys are enforced on objects.
- Use IBM Key Protect or {{site.data.keyword.hscrypto}} to create, add, and manage keys, which you can then associate with your instance of {{site.data.keyword.cos_full_notm}}.
- Grant service authorization
- Open your IBM Cloud dashboard.
- From the menu bar, click Manage > Access.
- In the side navigation, click Authorizations.
- Click Create authorization.
- In the Source service menu, select Cloud Object Storage.
- In the Source service instance menu, select the service instance to authorize.
- In the Target service menu, select IBM Key Protect or {{site.data.keyword.hscrypto}}.
- In the Target service instance menu, select the service instance to authorize.
- Enable the Reader role.
- Click Authorize
{: #faq-encrypt-fips} {: faq}
Yes, the IBM COS Federal offering is approved for FedRAMP Moderate Security controls, which require a validated FIPS configuration. IBM COS Federal is certified at FIPS 140-2 level 1. For more information on COS Federal offering, contact us via our Federal site.
{: #faq-encrypt-client} {: faq}
Yes, client-key encryption is supported by using SSE-C, Key Protect, or HPCS.
{: #faq-default-enc} {: faq}
Yes, by default, all objects stored in {{site.data.keyword.cos_short}} are encrypted using randomly generated keys and an all-or-nothing-transform (AONT). You can get the encryption details using IBM Cloud UI/CLI. For details, see Cloud Storage Encryption.