Digital Developer Conference: Hybrid Cloud 2021. On Sep 21, gain free hybrid cloud skills from experts and partners. Register now

Protect cloud-based data with an encrypted database

Ensuring that sensitive data is secure is top of mind for everyone, particularly when working with personally identifiable data. Hyper protect cloud services built on IBM LinuxONE takes security to the next level. The DBaaS service brings inherent data encryption both at rest and in flight without any application changes, and unlike other DBaaS cloud services, it ensures you are the only one with access to your data. The Crypto service allows you to have complete control of encryption key management where Cloud admins have no access to the keys

There are times when your DBaaS requires higher-level quality of service: When you are working with sensitive private information and encryption is key (pun intended!); when you experience unexpected peaks in demand — such as when disaster strikes — and need to scale on a dime; or when milliseconds count and latency is not an option. Whether your app processes data that can save lives during times of need or involves business-critical financial transactions and sensitive data, these apps have the need for the highest level of security, scale, and speed. IBM Cloud Hyper Protect DBaaS for MongoDB and IBM Cloud Hyper Protect DBaaS for PostgreSQL put power into the hands of developers so they can deliver this quality of service in their applications.

Hyper Protect DBaaS is an IBM Cloud service that provides highly secured databases on demand. It offers a flexible and scalable platform that allows you to quickly and easily provision and manage your database of choice.

This IBM Cloud offering provides MongoDB database clusters. Each database cluster comprises one primary database instance and two database instance replicas that back up the primary one.

With IBM Cloud Hyper Protect DBaaS, you can create database clusters in the IBM Cloud, manage database instances, administer database users, and create and monitor databases.

IBM hosts your databases in a highly available and secure environment:

  • The underlying technologies prevent IBM or a third party from being able to access your data. The IBM Secure Service Container technology protects the system via a tamper-proof environment. Access to the system is restricted and is only enabled through well-defined RESTful APIs.

  • Data is encrypted at rest and in flight.

  • The system hardware, the system configuration, and the database setup ensure high availability.

Learning objectives

In this tutorial, you’ll learn how to easily create, access, and manage a secure, performant MongoDB cluster for data storage.


To complete the steps that follow, you’ll need a familiarity with (or working knowledge of) MongoDB.

Estimated time

It should take you about 20 minutes to complete this activity.


This how-to has three major steps for creating and managing a hyper-secure database:

  1. Create a database cluster
  2. Manage the database cluster
  3. Access the database

Getting started: Create a database cluster

Let’s start by creating a database cluster. Enter the required values in the IBM Cloud Hyper Protect DBaaS service configuration screen and click Create. IBM then provides you with the hostname and port numbers of the three created database instances. You can now use this information and the user credentials you specified in the catalog to create and access your databases.

Manage the database cluster

In a database cluster, you can create databases, manage the database instances, create or delete users, and get the database logs.

IBM Cloud Hyper Protect DBaaS provides the DBaaS Manager, which manages and intelligently schedules your requests based on the available resources.

Access the database

After you create the database, you can manage it using the mongo shell, your favorite MongoDB driver, or tools like MongoDB Compass.

Before you begin

To ensure secure data transfer, obtain a Certificate Authority (CA) file from, and copy it to the appropriate directory.

mongo shell

The Hyper Protect DBaaS dashboard provides the necessary information to connect to a database.

  1. You can run the mongo shell command that is provided at the Hyper Protect DBaaS dashboard. Click on the icon next to the command to copy it to your clipboard.

  2. If the secure data connection fails with an SSL error, specify the obtained CA file to validate the server certificate. Add the parameter --sslCAfile to indicate the CA file.


# mongo 'mongodb://<Hostname_1>:<PortNumber_1>,\
<Hostname_3>:<PortNumber_3>/admin?replicaSet=<replicaSetName>' \
--ssl --username <userID> --password <password> --sslCAFile cert.pem


Hostname_i is the hostname of the database replica (i=1,2,3).

PortNumber_i is the port number of the database replica (i=1,2,3).

replicaSetName is the name of your returned replica set as specified in the Hyper Protect DBaaS dashboard.

userID is the user ID for the DBA as specified in the service configuration screen.

password is the password for the DBA user ID as specified in the service configuration screen.

Other tools

For other tools, such as MongoDB Compass, Hyper Protect DBaaS supports the SSL server certificate validation to connect to the host. If needed, use the provided CA file.


You now know how to quickly and easily use the IBM Cloud service to create and manage a hyper-secure database. To try out the other Hyper Secure Services, check out the blogs listed in the References below.