Tuesday, April 7, 2020

Encode credentials and upload to Key Protect

Protect credentials in Key Protect
If you followed my blog or have used IBM Cloud, then you know that Key Protect (and Hyper Protect Crypto Services) is the solution to manage encryption keys on IBM Cloud. Did you know that you can import your own keys? And did you know that "key" can be (almost) anything? Today, I am going to show you how to manage a set of JSON-based credentials with Key Protect.

Manage credentials in Key Protect

IBM Cloud Key Protect directly integrates with several cloud services. It is used to, e.g., BYOK (bring your own keys) for data encryption. Moreover, Key Protect can store so-called standard keys - bascially any base64-encoded string. This comes in handy when there is need to keep credentials in a vault. An example could be for an external service in a multi-cloud environment.

The benefits of using Key Protect as such a vault are that privileges to access it can be managed with fine granularity and the power of IBM Cloud IAM. Any access is logged and tracked in Activity Tracker with LogDNA. Thus, it can be easily audited.

Encode and upload credentials

The credentials to manage can be imported into Key Protect as so-called standard keys. They must be base64-encoded. Given some credentials as a JSON object, it is a straight-forward process. I wrote the following bash script to demonstrate the steps:

The script makes use of the IBM Cloud CLI with the plugin for Key Protect as well as the standard "base64" command. In this sample, some environment variables are read to fill the JSON structure and to identify the Key Protect instance.

Once executed, the script returns as JSON output the metadata for the newly created key. Its key ID can be used to later retrieve the credentials again (wait for an upcoming blog post :).

Sample output with key ID and CRN

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.