hashicorp · yhyakuna · Nov 3, 2025 · Oct 29, 2025 · Oct 29, 2025 · Oct 30, 2025
diff --git a/content/boundary/v0.20.x/content/docs/configuration/kms/ibmkms.mdx b/content/boundary/v0.20.x/content/docs/configuration/kms/ibmkms.mdx
@@ -0,0 +1,55 @@
+---
+layout: docs
+page_title: IBM Key Protect KMS configuration
+description: >-
+  Learn about using the IBM Key Protect KMS for key management and configuring parameters and authentication. View an example configuration.
+---
+
+# ibmkms KMS
+
+The IBM KMS configures Boundary to use IBM Key Protect for key management.
+
+## `ibmkp` example
+
+This example shows an IBM KMS stanza in the Boundary configuration file:
+
+````hcl
+kms "ibmkp" {
+    purpose     = "root"
+    api_key     = "8uEy9TUDVtUHuUGXpsMlpTb4rp8B_ZEfjU28ujik_nyw"
+    instance_id = "0647c737-906d-4f4e-8a68-2c187e11b29b"
+    key_id      = "key-protect-key1"
+    endpoint    = "https://cloud.ibm.com"
+    key_name    = "global_worker-auth"
+}
+````
+
+## `ibmkp` parameters
+
+The IBM KMS uses the following parameters in the `kms` stanza of the Boundary configuration file:
+
+- `purpose` - States the purpose of the KMS, supported values are `worker-auth`, `worker-auth-storage`, `root`, `previous-root`, `recovery`, `bsr`, or `config`.
+
+  To enable session recording, you must configure the `bsr` value for the `purpose`.
+
+- `api_key` `(string: "")` - The API key used to authenticate to IBM Cloud services.
+You can also specify this value using the `IBMCLOUD_API_KEY` environment variable.
+- `instance_id` `(string: <required>)` - The ID for the IBM Key Protect instance.
+You can also specify this value using the `IBMCLOUD_KP_INSTANCE_ID` environment variable.
+- `key_id` `(string: <required>)` - The IBM Key Protect key to use for encryption and decryption.
+You can also specify this value using the `IBMCLOUD_KP_KEY_ID` environment variable.
+- `endpoint` `(string: "")` - The KMS API endpoint to use for making IBM KMS requests.
+You can also specify this value using the `IBM_KP_ENDPOINT` environment variable.
+- `key_name` - The unique name for this key.
+It is used to identify the key when you perform a root key migration.
+
+## Authentication
+
+You must provide authentication-related values either as environment variables or as configuration parameters.
+
+The IBM Key Protect authentication values include:
+
+- `IBMCLOUD_API_KEY`
+- `IBMCLOUD_KP_INSTANCE_ID`
+- `IBMCLOUD_KP_KEY_ID`
+- `IBMCLOUD_KP_ENDPOINT`
@@ -37,5 +37,6 @@ For specific KMS examples, refer to the following topics:
 - [AWS KMS](/boundary/docs/configuration/kms/awskms)
 - [Azure Key Vault KMS](/boundary/docs/configuration/kms/azurekeyvault)
 - [GCP Cloud KMS](/boundary/docs/configuration/kms/gcpckms)
+- [IBM KMS](/boundary/docs/configuration/kms/ibmkms)
 - [OCI KMS](/boundary/docs/configuration/kms/ocikms)
 - [Vault Transit KMS](/boundary/docs/configuration/kms/transit)
@@ -121,6 +121,21 @@ description: >-
     </td>
   </tr>
 
+  <tr>
+    <td style={{verticalAlign: 'middle'}}>
+      IBM Key Protect KMS support
+    </td>
+    <td style={{verticalAlign: 'middle'}}>
+      GA in version 0.20.1
+    </td>
+    <td style={{verticalAlign: 'middle'}}>
+    Boundary now supports IBM Key Protect for key management.
+    <br /><br />You can configure IBM Key Protect as the KMS to manage encryption keys for various functions.
+    <br /><br />
+    Learn more:&nbsp;<a href="/boundary/docs/secure/encryption/data-encryption">Data encryption in Boundary</a> and <a href="/boundary/docs/configuration/kms/ibmkms">ibmkms KMS</a>.
+    </td>
+  </tr>
+
   </tbody>
 </table>
 

@@ -2106,6 +2106,10 @@
             "title": "GCP Cloud KMS",
             "path": "configuration/kms/gcpckms"
           },
+          {
+            "title": "IBM KMS",
+            "path": "configuration/kms/ibmkms"
+          },
           {
             "title": "OCI KMS",
             "path": "configuration/kms/ocikms"