IBM Cloud Data Shield powered by Fortanix Runtime Encryption

IBM Cloud Data Shield provides runtime memory encryption for applications to protect data in use. Cloud Data Shield is powered by Fortanix Runtime Encryption platform that uses Intel® SGX technology. Cloud Data Shield provides services and toolkits to transform containerized applications into protected counterparts enabling organizations with sensitive data to leverage cloud computing.

Bring Your Own App

The applications above are just examples. You can also run your own custom applications using Cloud Data Shield! Currently, the "Bring Your Own App" option supports applications delivered as a Docker container image.

Install the services in IBM Cloud

Build a Docker image for your application

A tool is available to prepare your application's container to run using Cloud Data Shield. The tool can retrieve your container image from either a public registry or a private registry. If your application is not yet packaged as a Docker container image, instructions to build and upload a docker image are available here:

Push your container image to a registry

Image references have the form <registry>/<image-name>:<tag>. If the registry is not specified, the public registry is assumed. If the tag (version) is not specified, latest is assumed.

Some examples: The image reference fortanix/sdkms-nginx refers to the image named fortanix/sdkms-nginx in the public registry. The image reference refers to the image named testing/test-image, version v2, in the private registry

Use our REST API

Our migration tool provides a REST API which you can use to create a new container image of your application image, secured using Runtime Encryption. The new image can be used in Cloud Data Shield just like the other featured apps, and with the same level of security. To use the REST API, simply:
  1. Submit a request to build your application:

    Sample JSON request body:

    	"inputImageName": ""            // registry name, image name, and tag
    	"outputImageName": "" // registry name, image name, and tag

    Sample JSON response body:

    	"newImage" : ""
  2. The new image can be run in your Cloud Data Shield evaluation cluster.
More detailed documentation for this Rest API can be found here. If you encounter issues, please contact us using one of the contact methods below.


To see the power of Cloud Data Shield, we provide a sample three-tier web application with all three tiers secured using Runtime Encryption.

Set up the sample application in your Kubernetes instance with the following command:

kubectl create -f

This creates a pod with three containers: the application, an NGINX frontend, and a MySQL backend.

Look up the node where the frontend is running with kubectl describe pod ewallet-sgx | grep ^Node:. Note that it may take a few minutes for the container to deploy and start.

You can access the sample application by navigating to the frontend node address in your web browser.

Build your own app

  • Contact us for Rust SDK arrow_forward

    Describe a relevant project / use case in your organization

    Are you interested in securing an existing application or building new secure application?

    What programming languages does your organization use for development?

    IBM and Fortanix will use the information submitted in this form for correspondence in the context of Data Shield