Describe the feature you'd like to have
IBM Cloud™ Hyper Protect Crypto Services is a key management and cloud hardware security module (HSM). It is designed to enable a user to take control of their cloud data encryption keys and cloud hardware security models, and is the only service in the industry built on FIPS 140-2 Level 4-certified hardware. The request here is to support this KMS integration thus enable the HPCS users to make use of the same in RBD volume operations.
Initial design/Identified changes:
Below parameters can be used to establish the connection to the HPCS service from the CSI driver and make use of the encryption operations:
KMS_SERVICE_NAME=[kms_service_name]
A unique name for the key management service within the project.
SERVICE_INSTANCE_ID=[service_instance_id]
The Instance ID of the IBM HPCS service, ex: crn:v1:bluemix:public:hs-crypto:us-south:a/5d19cf8b82874c2dab37e397426fbc42:e2ae65ff-954b-453f-b0d7-fc5064c203ce::
SERVICE_API_KEY=[service_api_key]
Ex: 06x6DbTkVQ-qCRmq9cK-p9xOQpU2UwJMcdjnIDdr0g2R
CUSTOMER_ROOT_KEY=[customer_root_key]
BASE_URL=[base_url] → only required if the instance is in a different region
The base URL (key management endpoint URL ) specifies the URL where your HPCS instance resides. It is region specific. Ex:
https://api.us-south.hs-crypto.cloud.ibm.com:9756
TOKEN_URL=[token_url] → only required if the different than the default token url
Ex: https://iam.bluemix.net/oidc/token
IBM key protect APIs can be used for the integration and examples can be found here:
Doc:
https://cloud.ibm.com/docs/key-protect
Clients:
https://github.com/IBM/keyprotect-go-client
https://github.com/IBM/keyprotect-python-client
https://github.com/IBM/keyprotect-java-client
Authentication:
https://github.com/IBM/keyprotect-go-client#authentication
Examples:
https://github.com/IBM/keyprotect-go-client#examples
afaict, Libopenstorage also got support for key protect APIs https://github.com/libopenstorage/secrets/tree/master/ibm , so we are good to use it via LOS or directlty the key protect clients
Describe the feature you'd like to have
IBM Cloud™ Hyper Protect Crypto Services is a key management and cloud hardware security module (HSM). It is designed to enable a user to take control of their cloud data encryption keys and cloud hardware security models, and is the only service in the industry built on FIPS 140-2 Level 4-certified hardware. The request here is to support this KMS integration thus enable the HPCS users to make use of the same in RBD volume operations.
Initial design/Identified changes:
Below parameters can be used to establish the connection to the HPCS service from the CSI driver and make use of the encryption operations:
IBM key protect APIs can be used for the integration and examples can be found here:
afaict, Libopenstorage also got support for key protect APIs https://github.com/libopenstorage/secrets/tree/master/ibm , so we are good to use it via LOS or directlty the key protect clients