| copyright | lastupdated | Keywords | subcollection | ||
|---|---|---|---|---|---|
|
2019-01-15 |
root keys, master keys, standard keys |
hs-crypto |
{:new_window: target="_blank"} {:shortdesc: .shortdesc} {:screen: .screen} {:codeblock: .codeblock} {:pre: .pre} {:important: .important}
{: #introduce-keys}
{{site.data.keyword.cloud}} {{site.data.keyword.hscrypto}} supports several key types, including root keys, standard keys, and master keys. {:shortdesc}
{: #introduce-root-keys}
Root keys are symmetric key-wrapping keys that you fully manage in {{site.data.keyword.hscrypto}}. You can use a root key to protect other cryptographic keys with advanced encryption. To learn more, see Envelope encryption.
You can manage root keys by following steps in Manage your keys.
{: #introduce-standard-keys}
Standard keys are symmetric keys that are used for cryptography. You can use a standard key to directly encrypt and decrypt data.
You can manage standard keys by following steps in Manage your keys.
{: #introduce-master-keys}
Master keys are used to encrypt the service instance for key storage. With the master key, you own the root of trust that encrypts the entire chain of Keys including root keys and standard keys.
Because of the established end-to-end secured channel to the service instance, only the administrators of the service instance can set and manage the master key. Note that IBM does not back up or touch the master key, and has no way to copy it or restore it to a different machine or data center.
One service instance can have only one master key. If you delete the master key of the service instance, you can effectively crypto-shred all data that was encrypted with the keys managed in the service.
You can manage master keys when Initializing service instances to protect key storage.
Rotating master key is not supported at the current stage. {:important}