Skip to content

Latest commit

 

History

History
72 lines (56 loc) · 2.88 KB

kp-encrypt-bucket.md

File metadata and controls

72 lines (56 loc) · 2.88 KB
copyright lastupdated keywords subcollection content-type services account-plan completion-time
years
2022, 2025
2024-09-16
tutorials, key protect, bucket, encryption
cloud-object-storage
tutorial
lite
10m

{{site.data.keyword.attribute-definition-list}}

Encrypting a bucket with Key Protect

{: #tutorial-kp-encrypt-bucket} {: toc-content-type="tutorial"} {: toc-completion-time="10m"}

While all data stored in Cloud Object Storage is automatically encrypted using randomly generated keys, some workloads require that the keys can be rotated, deleted, or otherwise controlled by a key management system (KMS) like Key Protect. {: shortdesc}

Before you begin

{: #kp-encrypt-bucket-prereqs}

Before you plan on using Key Protect with Cloud Object Storage buckets, you need:

You will also need to ensure that a service instance is created by using the IBM Cloud catalog and appropriate permissions are granted. This tutorial does not outline the step-by-step instructions to help you get started. This information is found in section Server-Side Encryption with IBM Key Protect (SSE-KP)

Create a new encryption key

{: #kp-create-encryption-key} {: step}

  1. Using the Navigation Menu, go to Resource List and expand Security.
  2. Click a Key Protect instance.
  3. Click the Add button.
  4. Click the Root key tab.
  5. Enter a Key name.
  6. Click Advanced Option and enter a Key description.
  7. Click the Add key button. Your new encryption key is listed in the Keys table.

Create a new bucket and associate the key with it

{: #kp-encrypt-bucket-create} {: step}

  1. Using the Navigation Menu, go to Resource List and expand Storage.
  2. Click your Storage instance.
  3. Click Create bucket.
  4. Click Create in the Create a Custom Bucket pane.
  5. Enter a unique bucket name.
  6. Select Resiliency>Regional.
  7. Select a Location.
  8. Select a Storage Class.
  9. Enable Service integrations>Encryption>Key management.
  10. Click Key Protect>Use existing instance.
  11. Select the Search by instance tab in the Key Protect integration side panel.
  12. Select a Key Protect instance from the menu.
  13. Select the Key name that you just created.
  14. Click the Associate key button.
  15. Click the Create bucket button. A popup message displays that a bucket was created successfully.
  16. Confirm by clicking the Configuration tab.
  17. Click Jump to>Key management (or scroll down the page).
  18. In the Associated key management services box see Service instance and the Key that was associated with the bucket.