copyright | lastupdated | keywords | subcollection | ||
---|---|---|---|---|---|
|
2020-06-19 |
encryption, security, sse-c, key protect, {{site.data.keyword.hscrypto}} |
cloud-object-storage |
{{site.data.keyword.attribute-definition-list}}
{:help: data-hd-content-type='help'}
{: #encryption}
{{site.data.keyword.cos_full}} provides several options to encrypt your data. {: shortdesc}
By default, all objects that are stored in {{site.data.keyword.cos_full_notm}} are encrypted by using randomly generated keys and an all-or-nothing-transform (AONT). While this default encryption model provides at-rest security, some workloads need full control over the data encryption keys used. You can manage your keys manually on a per-object basis by providing your own encryption keys - referred to as Server-Side Encryption with Customer-Provided Keys (SSE-C).
With {{site.data.keyword.cos_short}} you also have a choice to use our integration capabilities with {{site.data.keyword.cloud}} Key Management Services like {{site.data.keyword.keymanagementservicelong}} and {{site.data.keyword.hscrypto}}. Depending on the security requirements, you can decide whether to use IBM Key Protect or IBM {{site.data.keyword.hscrypto}} for your IBM Cloud Object Storage buckets.
{{site.data.keyword.keymanagementservicefull}} helps you provision encrypted keys for apps across {{site.data.keyword.cloud}} services. As you manage the lifecycle of your keys, you can benefit from knowing that your keys are secured by FIPS 140-2 Level 3 certified cloud-based hardware security modules (HSMs) that protect against the theft of information.
{{site.data.keyword.hscrypto}} is a single-tenant, dedicated HSM that is controlled by you. The service is built on FIPS 140-2 Level 4-certified hardware, the highest offered by any cloud provider in the industry.
Refer to product documentation on {{site.data.keyword.keymanagementservicefull}} and {{site.data.keyword.hscrypto}} for a detailed overview of the two services.