Digital Developer Conference: Cloud Security 2021 – Build the skills to secure your cloud and data Register free

Secure a cloud-native application on IBM Cloud for Financial Services


In this code pattern, you deploy a microservices-based back end in Red Hat OpenShift 4 by using a CI/CD toolchain. To encrypt and secure the data, you use the IBM Cloud Hyper Protect Crypto Services to manage your own encryption keys and the IBM Cloud Hyper Protect DBaaS for PostgreSQL to store and access the data.


Security and regulatory compliance of data is critical when moving sensitive applications in the cloud, particularly for organizations within regulated industries. For example, public cloud adoption by financial institutions has been slower than other industries since they possess large amounts of confidential customer information.

To address these concerns, there are three pillars of data security when considering end-to-end data protection. Data at rest and data in flight are the first two pillars, and most industries have already addressed these concerns. However, when organizations within regulated industries, such as finance and government, bring their applications and data to cloud environments such as IBM Cloud, they want to process sensitive data with highest level of security without compromising the performance and latency of the applications. The focus of confidential computing is to protect the sensitive data when data is in use or in memory.

To overcome these concerns, the IBM Cloud Hyper Protect Services, which include crypto services, virtual servers, and database as a service (DBaaS), offer protection for all three pillars, thereby enabling an end-to-end confidential computing environment within the IBM Cloud.

This code pattern uses the Example Bank project from a previous code pattern, which deploys a set of microservices to act as a back end for a mobile bank application. By following this code pattern, you learn how to:

  • Load your own master key to encrypt root keys by using the IBM Cloud Trusted Key Entry (TKE) plug-in
  • Use the Hyper Protect Crypto Services for key management
  • Provision the Hyper Protect DBaaS for PostgreSQL service to store encrypted data
  • Deploy the Example Bank microservice application that uses the Hyper Protect Services


The Example Bank back-end system includes several microservices for handling user authentication and transaction mechanics, as demonstrated in the following architecture flow diagram. Data is protected with envelope encryption provided by the Hyper Protect Services.

Architecture diagram

  1. User accesses OpenShift route for the front-end mobile simulator service.
  2. Mobile simulator logs in the user or creates a new user with IBM Cloud App ID.
  3. User service verifies user authentication with App ID and records the user in the Hyper Protect DBaaS for PostgreSQL database. The user service also records whether the consent box is checked during the sign-up step.
  4. User creates transactions by clicking on the mobile simulator purchase view.
  5. Transaction service records user activity in the Hyper Protect DBaaS for PostgreSQL database.
  6. Hyper Protect DBaaS for PostgreSQL stores encrypted data by using the master and root keys created with Hyper Protect Crypto Services.

Key ceremony

With Hyper Protect Services, you can keep your own key (KYOK). The key ceremony is a process of loading your own master key to your service instance (cloud account). Hyper Protect Crypto Services sets up signature keys for crypto unit administrators during the service initialization process to ensure that the master key parts are loaded to the Hardware Security Module (HSM) without interception. By using the TKE CLI plug-in with the IBM Cloud CLI, you can create crypto units, add signatures, load master key parts, and commit and activate them. The key ceremony process is necessary when you use Hyper Protect Crypto Services to ensure that no one can get full access of the master key, even the crypto unit administrators.

Key ceremony flow diagram


The detailed steps for this code pattern are available in the file.

  1. Clone the code pattern repository
  2. Create a project in your OpenShift cluster
  3. Set up a namespace in the IBM Cloud Container Registry
  4. Configure the App ID service
  5. Create and load the main keys for Hyper Protect Crypto Services
  6. Create or add a root key in Hyper Protect Crypto Services
  7. Grant service authorization
  8. Set up a Hyper Protect DBaaS for PostgreSQL instance with Hyper Protect Crypto Services
  9. Create the required secrets in your OpenShift project
  10. Set up the Hyper Protect DBaaS for PostgreSQL database
  11. Configure the pipelines in a toolchain
  12. Deploy the application by using your toolchain
  13. Access the application