Loading controls...

Control: 2.2.4 Ensure 'Unattached disks' are encrypted with customer managed keys


By default, IBM Cloud Block Storage provides provider-managed encryption for all data. For enhanced security, customers can bring their own encryption keys and manage them through IBM Key Management Services – Key Protect or Hyper Protect Crypto Services (HPCS). Provider-managed encryption is turned on by default and cannot be turned off.


You will not be able to change encryption option once data is already written to a Cloud Block Storage Volume. In order to ensure that objects are encrypted using customer managed keys you will need to create a new Cloud Block Storage volume, set it to use either Key Protect or Hyper Protect key management service and then upload/copy the existing objects to this new volume.


Run the control in your terminal:

steampipe check ibm_compliance.control.cis_v100_2_2_4

Snapshot and share results via Steampipe Cloud:

steampipe login
steampipe check --share ibm_compliance.control.cis_v100_2_2_4


This control uses a named query: