ibmkp KMS

The IBM KMS configures Boundary to use IBM Key Protect for key management.

ibmkp example

This example shows an IBM KMS stanza in the Boundary configuration file:

kms "ibmkp" {
    purpose     = "root"
    api_key     = "8uEy9TUDVtUHuUGXpsMlpTb4rp8B_ZEfjU28ujik_nyw"
    instance_id = "0647c737-906d-4f4e-8a68-2c187e11b29b"
    key_id      = "key-protect-key1"
    endpoint    = "https://cloud.ibm.com"
    key_name    = "global_worker-auth"
}

ibmkp parameters

The IBM KMS uses the following parameters in the kms stanza of the Boundary configuration file:

• purpose - States the purpose of the KMS, supported values are worker-auth, worker-auth-storage, root, previous-root, recovery, bsr, or config.

  To enable session recording, you must configure the bsr value for the purpose.

• api_key (string: "") - The API key used to authenticate to IBM Cloud services. You can also specify this value using the IBMCLOUD_API_KEY environment variable.

• instance_id (string: <required>) - The ID for the IBM Key Protect instance. You can also specify this value using the IBMCLOUD_KP_INSTANCE_ID environment variable.

• key_id (string: <required>) - The IBM Key Protect key to use for encryption and decryption. You can also specify this value using the IBMCLOUD_KP_KEY_ID environment variable.

• endpoint (string: "") - The KMS API endpoint to use for making IBM KMS requests. You can also specify this value using the IBM_KP_ENDPOINT environment variable.

• key_name - The unique name for this key. It is used to identify the key when you perform a root key migration.

Authentication

You must provide authentication-related values either as environment variables or as configuration parameters.

The IBM Key Protect authentication values include:

• IBMCLOUD_API_KEY
• IBMCLOUD_KP_INSTANCE_ID
• IBMCLOUD_KP_KEY_ID
• IBMCLOUD_KP_ENDPOINT