Table: ibm_kms_key - Query IBM Key Protect Keys using SQL
IBM Key Protect is a cloud-based security service that provides lifecycle management for encryption keys that are used in IBM Cloud services or customer-built applications. The service provides a simple and scalable way to manage keys, including creating, importing, storing, and disposing of them. IBM Key Protect helps to facilitate secure cloud data protection and key management at scale.
Table Usage Guide
The ibm_kms_key table provides insights into keys within IBM Key Protect. As a security or DevOps engineer, explore key-specific details through this table, including key ID, key name, and key creation date. Utilize it to uncover information about keys, such as their lifecycle status, the associated instances, and the verification of key policies.
Examples
Basic info
Analyze the settings to understand the status and creation date of IBM Key Management Service keys, which can be useful in managing and auditing key usage across your IBM Cloud services.
select name, id, crn, instance_id, state, creation_datefrom ibm_kms_key;select name, id, crn, instance_id, state, creation_datefrom ibm_kms_key;List keys older than 30 days
Explore which encryption keys have been in existence for over a month. This can be useful for managing and auditing key lifecycles, ensuring old and potentially vulnerable keys are replaced or retired.
select name, id, crn, instance_id, state, creation_datefrom ibm_kms_keywhere creation_date <= (current_date - interval '30' day)order by creation_date;select name, id, crn, instance_id, state, creation_datefrom ibm_kms_keywhere creation_date <= date('now', '-30 day')order by creation_date;List keys by key ring
Determine the areas in which specific keys are associated with a given key ring. This can help in managing and organizing your encryption keys, enhancing your security strategy.
select name, id, crn, instance_id, state, creation_date, key_ring_idfrom ibm_kms_keywhere key_ring_id = 'steampipe';select name, id, crn, instance_id, state, creation_date, key_ring_idfrom ibm_kms_keywhere key_ring_id = 'steampipe';Query examples
- ibm_kms_key_1_year_count
- ibm_kms_key_24_hours_count
- ibm_kms_key_30_90_days_count
- ibm_kms_key_30_days_count
- ibm_kms_key_90_365_days_count
- ibm_kms_key_age
- ibm_kms_key_age_table
- ibm_kms_key_aliases
- ibm_kms_key_by_account
- ibm_kms_key_by_algorithm
- ibm_kms_key_by_creation_month
- ibm_kms_key_by_region
- ibm_kms_key_by_state
- ibm_kms_key_count
- ibm_kms_key_disabled_count
- ibm_kms_key_dual_auth_disabled_count
- ibm_kms_key_dual_authentication
- ibm_kms_key_input
- ibm_kms_key_overview
- ibm_kms_key_ring
- ibm_kms_key_state_details
- ibm_kms_key_type
- ibm_kms_root_key_count
- ibm_kms_root_key_rotation_disabled_count
- ibm_kms_root_key_rotation_enabled
- ibm_kms_standard_key_count
Schema for ibm_kms_key
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
| account_id | text | The account ID of this key. | |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| algorithm_type | text | Specifies the key algorithm. | |
| aliases | jsonb | A list of key aliases. | |
| created_by | text | The unique identifier for the resource that created the key. | |
| creation_date | timestamp with time zone | The timestamp when the key material was created. | |
| crn | text | The Cloud Resource Name (CRN) that uniquely identifies your cloud resources. | |
| deleted | boolean | Indicates whether the key has been deleted, or not. | |
| deleted_by | text | The unique identifier for the resource that deleted the key. | |
| deletion_date | timestamp with time zone | The date the key material was destroyed. | |
| description | text | A text field used to provide a more detailed description of the key. | |
| dual_auth_delete | jsonb | Metadata that indicates the status of a dual authorization policy on the key. | |
| encrypted_nonce | text | ||
| encryption_algorithm | text | ||
| expiration | timestamp with time zone | The date the key material will expire. | |
| extractable | boolean | Indicates whether the key material can leave the service, or not. | |
| id | text | = | An unique identifier of the key. |
| imported | boolean | Indicates whether the key was originally imported or generated in Key Protect. | |
| instance_id | text | = | The key protect instance GUID. |
| key_ring_id | text | = | An ID that identifies the key ring. |
| key_version | jsonb | Properties associated with a specific key version. | |
| last_rotate_date | timestamp with time zone | The date when the key was last rotated. | |
| last_update_date | timestamp with time zone | The date when the key metadata was last modified. | |
| name | text | A human-readable name assigned to your key for convenience. | |
| payload | text | Specifies the key payload. | |
| region | text | The region of this key. | |
| rotation_policy | jsonb | Key rotation policy. | |
| state | text | The key state based on NIST SP 800-57. States are integers and correspond to the Pre-activation = 0, Active = 1, Suspended = 2, Deactivated = 3, and Destroyed = 5 values. | |
| tags | jsonb | A map of tags for the resource. | |
| title | text | Title of the resource. | |
| type | text | Specifies the MIME type that represents the key resource. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- ibmYou can pass the configuration to the command with the --config argument:
steampipe_export_ibm --config '<your_config>' ibm_kms_key