Manage customer-managed encryption keys in Astra
After you configure customer-managed encryption keys (CMEK) for your Astra Managed Clusters databases, you can view registered keys, rotate keys, and delete keys or revert to default encryption.
View customer keys
You can inspect registered customer keys for Astra Managed Clusters databases with the DevOps API.
- Get encryption keys for one region with the DevOps API
-
You can use the DevOps API to get registered encryption keys for a specific region. You must specify the cloud provider (
awsorgcp) and region to retrieve:curl -sS -L -X GET "https://api.astra.datastax.com/v2/kms/classic/provider/PROVIDER/region/REGION" \ --header "Authorization: Bearer APPLICATION_TOKEN" \ --header "Content-Type: application/json"A successful response includes the organization ID, provider, key ID, and region. The
keyIDis the registered key’s ARN (for AWS) or resource name (for GCP).Result{ "orgId": "ORGANIZATION_ID", "PROVIDER": { "keyID": "ARN_OR_RESOURCE_NAME", "region": "REGION" } } - Get all Astra Managed Clusters encryption keys with the DevOps API
-
You can use the DevOps API to get all registered customer keys for an organization.
Rotate customer keys
Customer key cloud providers provide automatic rotation through key versioning. You can manage this in your cloud provider’s KMS console. For more information, see the documentation for your cloud provider:
If automatic key versioning is not sufficient, you can replace a customer key by contacting IBM Support.
Delete customer keys or use default encryption
If you want to delete an encryption key from your Astra organization, or use default Astra DB encryption instead of customer key encryption, you must contact IBM Support.
