About Standard and Dedicated Key Protect
IBM® Key Protect for IBM Cloud® offers two deployment options to meet different security and compliance requirements: Standard (multi-tenant) and Dedicated (single-tenant).
Both versions provide full-service encryption solutions that allow data to be secured and stored in IBM Cloud using envelope encryption techniques and cloud-based hardware security modules. Standard is a multi-tenant offering, where Key Protect manages the isolation of keys and resources. Dedicated is single-tenant, offering full control of keys (master key and root keys) and confidential computing.
All existing key operations (for example, key creations, rotations, deletions) are available for the Dedicated option in the console. However, initializing the service requires following CLI instructions that can be found in Initializing Dedicated Key Protect by creating an instance, credentials, and a master key.
Overview of both offerings
Both Standard and Dedicated Key Protect protect sensitive data by encrypting data encryption keys (DEKs) with root keys managed through hardware security modules. In Standard, the master keys are managed by IBM. In Dedicated, you own and manage your own master keys. In this envelope encryption system, decrypting data requires first "unwrapping" the encrypted DEK and then using the DEK to decrypt the data.
For more information about how envelope encryption works, see Protecting data with envelope encryption.
Unsure which IBM Cloud security service is right for your use case? Check out Which data security service is best for me? for more information.
Key similarities
Both Standard and Dedicated Key Protect share the following core capabilities:
Encryption and key management
- Envelope encryption
- Used to protect data encryption keys with root keys.
- AES-GCM encryption
- Both use the Advanced Encryption Standard algorithm in Galois/Counter Mode (AES GCM) to wrap and unwrap DEKs.
- 256-bit key material
- Both support 256-bit key material for created root keys.
- Key lifecycle management
- Creating, importing, rotating, and managing encryption keys are supported.
- Key operations
- All existing key operations (creations, rotations, deletions) are available in both versions.
Integration and access
- IAM integration
- Both integrate with IBM Cloud Identity and Access Management (IAM) for fine-grained access control.
- API compatibility
- Both use the same key-provider API, ensuring a consistent developer experience.
- Service integrations
- Both integrate with IBM Cloud services including database, storage, container, and ingestion services.
- HTTPS communication
- Both use HTTPS with Transport Layer Security (TLS) protocol to encrypt data in transit.
- REST API
- Both provide REST APIs for encryption key creation and management.
Management capabilities
- Key rings
- Both support organizing keys using key rings.
- Key aliases
- Both support creating aliases for keys.
- Rotation policies
- Both allow setting rotation schedules for keys.
- Dual authorization
- Both support dual authorization policies for key deletion.
- KMIP support
- Both offer Key Management Interoperability Protocol (KMIP) support, certified by VMWare.
Key differences
The following table highlights the primary differences between Standard and Dedicated Key Protect:
| Feature | Standard Key Protect | Dedicated Key Protect |
|---|---|---|
| Tenancy model | Multi-tenant with shared HSMs | Single-tenant with dedicated HSM partitions |
| HSM certification | FIPS 140-2 Level 3 certified | Submitted to NIST for FIPS 140-3 Level 4 certification |
| Key control | Bring Your Own Key (BYOK) | Keep Your Own Key (KYOK) |
| IBM administrator access | IBM administrators have operational access | No visibility for IBM Cloud administrators |
| HSM partition ownership | Shared HSM resources | Exclusive ownership of HSM partitions (crypto units) |
| Master key management | IBM-managed HSM master keys | User-owned master keys |
| Administrator assignment | IBM-managed | User assigns their own administrators |
| Initialization | Console or CLI | CLI required for initialization |
| Workload isolation | Shared infrastructure | Complete workload isolation |
| Crypto units | Not applicable | Operational crypto units for key management and cryptographic operations |
| Key hierarchy control | IBM manages root of trust | User owns root of trust |
| Privileged access | IBM operational access | No operational access for provider |
Standard Key Protect features
Standard Key Protect is a multi-tenant service that provides cost-effective encryption key management with shared infrastructure and IBM-managed security operations.
What Standard offers
- Bring your encryption keys to the cloud
- Fully control and strengthen your key management practices by securely exporting symmetric keys from your internal key management infrastructure into IBM Cloud.
- Robust security
- Provision and store keys using FIPS 140-2 Level 3 hardware security modules (HSMs). Leverage IBM Cloud Identity and Access Management (IAM) roles to provide fine-grain access control to your keys.
- Control and visibility
- Use IBM Cloud Logs to measure how users and applications interact with Key Protect.
- Simplified billing
- Track subscription and credit spending for all accounts from a single view. To learn more about keys, key versions, and pricing, check out Pricing.
- Self-managed encryption
- Create or import root and standard keys to protect your data.
- Flexibility
- Apps on or outside IBM Cloud can integrate with the Key Protect APIs. Key Protect integrates easily with a variety of IBM database, storage, container, and ingestion services.
- Built-in protection
- Deleted keys, and their encrypted data, can never be recovered. Manage your user roles, key states, and set a rotation schedule that works for your use case using the UI, CLI, or API.
- Application-independent
- Generate, store, retrieve and manage keys independent of application logic.
Standard Key Protect is ideal for organizations that need robust encryption key management with shared infrastructure and IBM-managed security operations.
Dedicated Key Protect features
Dedicated Key Protect is a single-tenant service designed to provide enterprises with full control over their encryption keys and cryptographic operations in the cloud.
What Dedicated offers
- Complete key control
- KYOK capabilities ensure only you have access to your keys, with no visibility for IBM Cloud administrators.
- FIPS 140-3 Level 4 HSMs (submitted for NIST certification)
- Submitted to NIST for certification of the latest hardware security module certification standard.
- Dedicated HSM partitions
- Exclusive crypto units for enhanced security and workload isolation.
- User-managed master keys
- Full control over the root of trust that encrypts the entire hierarchy of encryption keys.
- Custom administrators
- Assign your own HSM administrators using RSA signature authentication keys.
- Workload isolation
- Complete separation from other tenants with dedicated infrastructure.
- Enhanced compliance
- Meets stringent regulatory requirements for data sovereignty and security.
- Zero trust
- Infrastructure runs on RedHat Openshift Confidential Containers fortified by Intel TDX secure enclaves.
All existing key operations (for example, key creations, rotations, deletions) are available in the console. However, initializing the service requires following CLI instructions that can be found in Initializing Dedicated Key Protect by creating an instance, credentials, and a master key.
Dedicated-specific concepts
Dedicated Key Protect introduces several unique concepts:
- Crypto units
- A single unit representing an HSM and corresponding software stack dedicated to cryptography. Operational crypto units manage encryption keys and perform cryptographic operations.
- RSA signature authentication keys
- Administrators use RSA-based signature keys to sign commands issued to crypto units. The private key creates signatures and is stored locally in an encrypted keyfile, while the public key is installed in the crypto unit to define administrators.
- Master key (HSM master backup key)
- A symmetric 256-bit AES key that encrypts the service instance for key storage. With the master key, you own the root of trust that encrypts the entire hierarchy of encryption keys. Deleting the master key effectively crypto-shreds all encrypted data.
- Master key parts
- When initializing using key part files, a master key is composed of two or more master key parts. Each part is a symmetric 256-bit AES key that can be owned by different people for enhanced security.
Use case comparison
The following diagram illustrates use cases where Standard or Dedicated Key Protect would be most appropriate. The primary factor in choosing between Standard and Dedicated is the level of security and control you require for your data.
When to use Standard Key Protect
Standard Key Protect is ideal for:
- Organizations requiring FIPS 140-2 Level 3 encryption.
- Cost-sensitive deployments that can use shared infrastructure.
- Rapid deployment requirements.
- Standard compliance and regulatory requirements.
- Applications that need BYOK capabilities.
- Integration with multiple IBM Cloud services.
- Organizations comfortable with IBM-managed HSM infrastructure.
When to use Dedicated Key Protect
Dedicated Key Protect is ideal for:
- Organizations requiring FIPS 140-3 Level 4 (submitted for certification) encryption.
- Stringent regulatory compliance requiring data sovereignty.
- Regulated industries with sensitive data and strict security requirements (finance, healthcare, government).
- Organizations requiring full control of the root of trust for keys and the HSM.
- Complete workload isolation requirements.
- Organizations that need to eliminate privileged access risks.
- Scenarios requiring custom HSM administrator assignment.
- Organizations that need full control over the encryption key hierarchy.
Common scenarios
Here are common scenarios that explain how both versions of Key Protect can be used:
| Scenario | Standard | Dedicated |
|---|---|---|
| Generate and manage encryption keys backed by FIPS-certified hardware | ✓ FIPS 140-2 Level 3 certified | ✓ (Submitted to NIST for FIPS 140-3 Level 4 certification) |
| IT admin needs to integrate, track, and rotate encryption keys for multiple services | ✓ | ✓ |
| Developer wants to integrate pre-existing applications with key management | ✓ | ✓ |
| Development team has stringent policies requiring rapid key generation and rotation | ✓ | ✓ |
| Security admin needs controlled access without compromising data security | ✓ | ✓ |
| Perform envelope encryption with master encryption keys | ✓ | ✓ |
| Eliminate all IBM administrator access to encryption keys | ✗ | ✓ |
| Require dedicated HSM partitions for regulatory compliance | ✗ | ✓ |
| Need complete control over HSM master keys | ✗ | ✓ |
| Assign custom HSM administrators | ✗ | ✓ |
| Cost-effective shared infrastructure | ✓ | ✗ |
| For public and internal data, cloud workloads like cloud object storage, physical storage, block storage, file systems, and databases | ✓ | ✗ |
| For sensitive and confidential data (PHI, PII, Financial records), database and object storage, AI models and data, and data-in-use protection (confidential computing) | Recommended |
Architecture overview
Both Standard and Dedicated Key Protect use similar architectural components with key differences in tenancy and control.
Key Protect uses the Advanced Encryption Standard algorithm in Galois/Counter Mode (AES GCM) to wrap and unwrap DEKs. Root keys that are not imported are created with 256-bit key material. Imported root keys can have 128, 192, or 256-bit key material.
Access to the Key Protect service takes place over HTTPS. All communication uses the Transport Layer Security (TLS) protocol to encrypt data in transit. For more information about TLS and the ciphers supported by Key Protect, check out Data encryption.
Common architectural components
- Key Protect REST API
- The Key Protect REST API drives encryption key creation and management across IBM Cloud services.
- Hardware security modules
- IBM Cloud data centers provide the hardware to protect your keys. HSMs are tamper-resistant hardware devices that store and use cryptographic key material without exposing keys outside of a cryptographic boundary.
- Customer-managed encryption keys
- Root keys are symmetric keys that protect data encryption keys with envelope encryption. Root keys never leave the boundary of the HSM.
- Dedicated key storage
- Key metadata is stored in highly durable, dedicated storage for Key Protect that is encrypted at rest with additional application layer encryption.
- Fine-grained access control
- Key Protect leverages IBM Cloud IAM roles to ensure that users can be assigned appropriate access at the instance, key, and key ring level.
Standard-specific architecture
In Standard Key Protect:
- HSMs are shared across multiple tenants in a multi-tenant architecture.
- IBM manages and periodically rotates the HSM's master keys, providing an extra layer of security.
- IBM administrators have operational access to manage the infrastructure.
Dedicated-specific architecture
In Key Protect Dedicated:
- Each customer receives dedicated HSM partitions (crypto units) for complete workload isolation.
- Customers manage their own HSM master backup keys, owning the root of trust.
- Customers assign their own administrators using RSA signature authentication keys.
- No IBM administrator access to customer encryption keys or cryptographic operations.
Next steps
- To get started with Standard Key Protect, see Provisioning the service.
- To get started with Dedicated Key Protect, see Initializing Dedicated Key Protect.
- For more information about your responsibilities when using Key Protect, see Understanding your responsibilities.
- To compare Key Protect with other IBM security services, see Which data security service is best for me?.