| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2024-11-15 |
key protect, data portability |
key-protect |
{{site.data.keyword.attribute-definition-list}}
{: #data-portability}
Data portability involves a set of tools and procedures that enable customers to export the digital artifacts that are needed to implement similar workload and data processing on different service providers or on-premises software. It includes procedures for copying and storing the service customer content, including the related configuration that is used by the service to store and process the data, on the customer’s own location. {: shortdesc}
As a general rule, it is not possible to export {{site.data.keyword.keymanagementserviceshort}} keys or the key material of a key generated by {{site.data.keyword.keymanagementserviceshort}}. This ensures that the root key's plaintext material is never exposed outside of {{site.data.keyword.keymanagementserviceshort}}'s FIPS 140-2 Level 3 certified cloud-based hardware security modules. For more information, check out Data export procedures by key type.
If you use key material to create an imported key, it is the best practice to keep a copy of your imported material. {: tip}
{: #data-portability-responsibilities}
{{site.data.keyword.Bluemix_notm}} services provide interfaces and instructions to guide the customer to copy and store the service customer content, including the related configuration, on their own selected location.
Users are responsible for the use of the exported data and configuration for data portability to other infrastructures, which includes:
- The planning and execution for setting up alternative infrastructure on different cloud providers or on-premises software that provide similar capabilities to the {{site.data.keyword.IBM_notm}} services.
- The planning and execution for the porting of the required application code on the alternative infrastructure, including the adaptation of customer’s application code, deployment automation, and so on.
- The conversion of the exported data and configuration to the format that’s required by the alternative infrastructure and adapted applications.
For more information about your responsibilities for {{site.data.keyword._service-name_notm}}, check out Understanding your responsibilities with using {{site.data.keyword.keymanagementserviceshort}}.
{: #data-portability-procedures}
For more information about the two types of keys, check out Key types.
{: #data-portability-procedures-root-keys}
Root keys are used to wrap the data encryption key (DEK) used to encrypt your data at rest. Once a root key's plaintext material is generated or imported, it cannot be exported from the {{site.data.keyword.keymanagementserviceshort}} managed hardware security module (HSM).
To ensure data portability, {{site.data.keyword.keymanagementserviceshort}} should be used to wrap the data encryption key (DEK) that will encrypt your sensitive data, as outlined in our Wrapping keys with envelope encryption guide. If you wish to discontinue the use of Key Protect to secure your DEK, simply unwrap the DEK's ciphertext to obtain the plaintext DEK originally used to encrypt your sensitive data.
Directly wrapping sensitive data with a root key is not advised. {: tip}
{: #data-portability-procedures-standard-keys}
You may store encrypted DEK material in the Key Protect service by generating a standard key or importing encrypted DEK material to a standard key. To export these data, simply retrieve the standard key and observe the "payload" value returned.