Encrypt Astra Managed Clusters databases with Google Cloud Key Management Service customer-managed encryption keys

You must configure customer keys before you deploy the databases that will use those keys. You cannot use a new customer key for an existing database.

You can encrypt your Astra Managed Clusters databases with Google Cloud Key Management Service (KMS) customer-managed encryption keys (CMEKs).

To do this, you must start the registration process in Astra, create a key in Google Cloud KMS, and then register the key in your Astra organization. This process requires access to both Astra and your cloud provider.

To configure customer key encryption for other cloud providers or Astra DB Serverless databases, see Prepare to use customer-managed encryption keys with Astra Managed Clusters.

Prerequisites

Create and register a Google Cloud KMS CMEK in the Astra Portal

  1. In the Astra Portal header, click Settings.

  2. In the Settings navigation menu, make sure the enterprise/organization filter is set to the organization that you want to manage.

    If the organization belongs to an enterprise, you must filter on the enterprise, and then click the organization name in the Organizations list.

  3. In the Settings navigation menu, click Security.

  4. In the Key Encryption section, click Add Keys.

  5. For Database Type, select Classic.

  6. For Provider, select Google Cloud.

  7. For Region, select the region where you plan to create your customer key and deploy your database.

    You can select from any supported region that is unlocked for your Astra organization. For assistance with unavailable regions, contact IBM Support.

  8. After your select a region, make a note of the Cloud Provider ID. This is a unique identifier for a DataStax-owned Google Cloud project. You will use this ID to define allowed principals in your key’s IAM policy.

    Some Google Cloud regions have two provider IDs. If you select a region with two provider IDs, you must include both IDs in your key’s IAM policy.

    Keep this window open while you create your key. If you exit the Add Key dialog or the Astra Portal, the Cloud Provider ID for Google Cloud is discarded, and you must restart to get a new Cloud Provider ID.

  9. Open a new browser tab, navigate to Google Cloud KMS, and then create a key ring in the same region that you selected in the Astra Portal.

  10. In your key ring, create a symmetric encryption key with the Protection level set to Software.

  11. Grant IAM roles on the key with the following principals, which are Google Cloud default service accounts:

    PROVIDER_ID-compute@developer.gserviceaccount.com
service-PROVIDER_ID@compute-system.iam.gserviceaccount.com
service-PROVIDER_ID@gs-project-accounts.iam.gserviceaccount.com

    Replace PROVIDER_ID with the Cloud Provider ID from the Astra Portal. If your Google Cloud region has two provider IDs, add principals for both IDs (six principals in total).

  12. Create a custom role or use the Cloud KMS Admin and Cloud KMS Crypto Operator predefined roles to grant minimum required permissions, including cryptoKeyVersions.useToDecrypt and cryptoKeyVersions.useToEncrypt.

  13. Copy the key’s resource name.

  14. In the Astra Portal, paste your key’s resource name in the Key ID field, and then click Add Key.

  15. Deploy databases in the same provider-specific region as the registered key.

    Astra uses the registered key to encrypt all Astra Managed Clusters databases that you deploy to the same provider-specific region.

    Creating new databases and adding regions to multi-region databases are both considered database deployments. For multi-region databases, you must register a key in each desired region before you deploy the database to those regions. For more information, see Prepare to use customer-managed encryption keys with Astra Managed Clusters.

  16. Optional: Enable customer key encryption for other regions, providers, or database types.

    To enable customer key encryption for Astra Managed Clusters databases in other Google Cloud regions, repeat this entire process for each applicable region.

    To configure customer key encryption for other cloud providers or Astra DB Serverless databases, see Prepare to use customer-managed encryption keys with Astra Managed Clusters.

Create and register a Google Cloud KMS CMEK with the DevOps API

  1. Use the DevOps API to start the customer key encryption process:

    curl -sS -L -X POST "https://api.astra.datastax.com/v2/kms/classic/provider/gcp/accounts" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

  2. Use the DevOps API to get the DataStax-owned Google Cloud project ID for your key’s IAM policy:

    curl -sS -L -X GET "https://api.astra.datastax.com/v2/kms/classic/provider/gcp/region/REGION/accounts" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

    Replace the following:

  3. Copy the provider_id from the response, which is a unique identifier for a DataStax-owned Google Cloud project. You will use this ID to define allowed principals in your key’s IAM policy.

    Some Google Cloud regions have two provider IDs. If you select a region with two provider IDs, you must include both IDs in your key’s IAM policy.

    Only call GET /v2/kms/classic/provider/gcp/region/REGION/accounts once for each GCP region. Each time you call this endpoint, the GCP region’s previous provider_id is discarded and becomes invalid.

    		 
    [
  {
    "organization_id": "ORGANIZATION_ID",
    "provider_id": "PROVIDER_ID",
    "provider": "gcp"
  }
]

  4. In Google Cloud KMS, create a key ring in the same region that you used in the previous DevOps API request.

  5. Create a symmetric encryption key with the Protection level set to Software.

  6. Grant IAM roles on the key with the following principals, which are Google Cloud default service accounts:

    PROVIDER_ID-compute@developer.gserviceaccount.com
service-PROVIDER_ID@compute-system.iam.gserviceaccount.com
service-PROVIDER_ID@gs-project-accounts.iam.gserviceaccount.com

    Replace PROVIDER_ID with the provider_id that was returned by the DevOps API. If your Google Cloud region has two provider IDs, add principals for both IDs (six principals in total).

  7. Create a custom role or use the Cloud KMS Admin and Cloud KMS Crypto Operator predefined roles to grant minimum required permissions, including cryptoKeyVersions.useToDecrypt and cryptoKeyVersions.useToEncrypt.

  8. Copy the key’s resource name.

  9. Use the DevOps API to register your customer key in your Astra organization:

    curl -sS -L -X POST "https://api.astra.datastax.com/v2/kms/classic" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json" \
--data '{
  "orgId": "ORGANIZATION_ID",
  "gcp": {
    "keyID": "RESOURCE_NAME",
    "region": "REGION"
  }
}'

    Replace the following:

    • APPLICATION_TOKEN: Your Astra application token.

    • ORGANIZATION_ID: Your Astra organization ID.

    • RESOURCE_NAME: Your key’s resource name from Google Cloud KMS.

    • REGION: The region where you created your key, such as us-east1.

  10. Deploy databases in the same provider-specific region as the registered key.

    Astra uses the registered key to encrypt all Astra Managed Clusters databases that you deploy to the same provider-specific region.

    Creating new databases and adding regions to multi-region databases are both considered database deployments. For multi-region databases, you must register a key in each desired region before you deploy the database to those regions. For more information, see Prepare to use customer-managed encryption keys with Astra Managed Clusters.

  11. Optional: Enable customer key encryption for other regions, providers, or database types.

    To enable customer key encryption for Astra Managed Clusters databases in other Google Cloud regions, repeat this entire process for each applicable region.

    To configure customer key encryption for other cloud providers or Astra DB Serverless databases, see Prepare to use customer-managed encryption keys with Astra Managed Clusters.

See also

Was this helpful?

Give Feedback

How can we improve the documentation?

© Copyright IBM Corporation 2026 | Privacy policy | Terms of use Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: Contact IBM