IBM Security® Guardium® Data Encryption is a family of data encryption and key management software. The modular components are centrally managed through CipherTrust Manager (formerly known as Data Security Manager or DSM), which manages policies, configurations and encryption keys.

Encryption solutions to secure your data and your business

IBM Security Guardium Data Encryption consists of a unified suite of products built on a common infrastructure. These highly scalable modular solutions, which can be deployed individually or in combination, provide data encryption, tokenization, data masking and key management capabilities to help protect and control access to data across the hybrid multicloud environment. You can address data security and privacy regulations such as GDPR, CCPA, PCI DSS and HIPAA by employing methods to de-identify data, such as tokenization and data masking, and managing the encryption key lifecycle with secure key generation and automated key rotation.

Why Guardium

Clients realize value quickly with the full set of Guardium features

9 of 9

9 of 9 categories show IBM Security Guardium as a “strong positive”, making it an Overall Leader.


58% of organizations say they have around 21% to 50% of cloud-resident sensitive data that’s insufficiently secured.


Protect data across environments

Protect your data wherever it resides and help organizations secure their cloud migration.

Address compliance requirements

Address compliance with strong data encryption, robust user access policies, data access audit logging and key management capabilities.

Reduce administrative effort

Centralize encryption and encryption key configuration and policy management through an intuitive web-based interface.

Which Security Guardium Data Encryption products fit your organization?

Guardium® for File and Database Encryption

Address compliance reporting while protecting structured databases, unstructured files and cloud storage services through encryption of data-at-rest with centralized key management, privileged user access control and detailed data access audit logging.

Guardium® for Cloud Key Management

Centralize key management for reduced complexity and operational costs with full lifecycle control of encryption keys, including automated key rotation and expiration management. Bring your own key (BYOK) customer key control allows for the separation, creation, ownership and revocation of encryption keys or tenant secrets used to create them.

Guardium® for Data Encryption Key Management

Centralize key management for Guardium solutions as well as third party devices, databases, cloud services and applications. Support for KMIP—an industry-standard protocol for encryption key exchange—makes it possible for keys to be managed with a common set of policies.

Guardium® for Batch Data Transformation

Enable large-quantity static data masking, which transforms selected data to unreadable forms in order to utilize data sets while preventing misuse of sensitive data. Mask data to share with third parties, before adding to a big data environment, to prepare for safe cloud migration, and more.

Guardium® for Application Encryption

Access DevSecOps-friendly software tools in a solution that is flexible enough to encrypt nearly any type of data passing through an application. Protecting data at the application layer can provide the highest level of security, as it takes place immediately upon data creation or first processing and can remain encrypted regardless of the state—during transfer, use, backup or copy.

Guardium® for Container Data Encryption

This extension to Guardium for File and Database Encryption delivers container-aware data protection and encryption capabilities for granular data access controls and data access logging in containerized environments.

Guardium® for Tokenization

Utilize application-level tokenization and dynamic display security to secure and anonymize sensitive assets whether they reside in the data center, big data environments or the cloud. Because it uses standard protocols and environment bindings, Guardium for Tokenization requires minimal software engineering and can be deployed as an appliance in your virtual format of choice.


Encryption for files, databases and applications

Guardium Data Encryption offers capabilities for protecting and controlling access to files, databases and applications across your organization, in the cloud and on premises, for containerized environments, and for cloud storage services.

Management of user access policies

Guardium Data Encryption allows for granular user access control. Specific policies can be applied to users and groups with controls that include access by process, file type and time of day, among other parameters.

Tokenization and data masking to protect data in use

Format-preserving tokenization obscures sensitive data while dynamic data masking obscures specific parts of a data field. Tokenization methods and data masking policies are controlled through a centralized graphical user interface.

Cloud encryption key orchestration

Clients can manage data encryption keys for their cloud environments from one browser window. Guardium Data Encryption supports bring your own key (BYOK) lifecycle management that allows for the separation, creation, ownership, control and revocation of encryption keys or tenant secrets.

Support for regulatory compliance efforts

Regulations such as HIPAA, PCI DSS, CCPA and GDPR require strong data encryption, robust user access policies and key lifecycle management capabilities. Detailed data access audit logging is available to help organizations with compliance reporting.

Data encryption key centralization through KMIP

CipherTrust Manager centralizes the storage, rotation and lifecycle management of all your encryption keys for KMIP-compatible data repositories. KMIP is an industry-standard protocol for encryption key exchange between clients (appliances and applications) and a server (key store).

Scroll to Top