Prepare to use customer-managed encryption keys with Astra Managed Clusters

You must configure customer keys before you deploy the databases that will use those keys. You cannot use a new customer key for an existing database.

Encryption is a widely accepted security mechanism, and Astra provides data encryption by default. Customer-managed encryption keys (CMEK) give you additional control over your encryption keys and access to data at rest. Customer-managed encryption keys are also known as customer keys, customer managed keys (CMK), bring-your-own keys, and custom encryption keys.

Astra Managed Clusters supports customer key encryption for databases deployed to AWS and Google Cloud regions.

Databases that aren’t encrypted by customer keys use Astra-provided encryption keys.

If you have more stringent compliance requirements, consider using application-level encryption. For example, with Cassandra drivers, you can use driver-level encryption, such as column encryption with the Python driver and column encryption with the C# driver.

Billed charges for premium runtime and cloud provider services

Customer key encryption is a premium feature that requires a paid plan.

Additionally, customer keys incur billed charges in your cloud provider. For more information, see the customer key pricing documentation for your cloud provider:

Determine how many keys you need

Before you register customer keys and deploy databases, learn how Astra uses customer keys so you can determine how many keys you need.

In Astra, customer keys are associated with a specific cloud provider and region, and then the same key encrypts all databases that are deployed to that key’s cloud provider and region. For example:

  • If you plan to deploy databases in AWS us-east-2 and AWS ap-south-1, then you need two keys (one key for each region).

  • If you plan to deploy databases in AWS us-east-2 only, then you need only one key because there is only one region to encrypt.

  • If you plan to deploy databases in AWS us-east-1 and GCP us-east1, then you need two keys because regions are in different cloud providers.

For multi-region databases, you need a separate key for each region. For example, if you plan to deploy a multi-region database to us-east-2 and ap-south-1, then you need two keys (one key for each region).

Additionally, if you plan to deploy both Astra DB Serverless databases and Astra Managed Clusters databases, then Astra requires separate keys for each type, even if they are deployed to the same regions. If you use only one database type, then you need one key for each cloud provider and region where you plan to deploy your databases. For example, if you plan to deploy databases in us-east-2 and ap-south-1, then you need two keys (one key for each region). If you use both types, then you need separate encryption keys for each type, even if they are deployed to the same regions.

If you have multiple Astra organizations, DataStax recommends separate keys for each organization.

In summary, you need one customer key for each combination of database type, cloud provider, and region. For example, each of the following combinations requires its own key:

Example customer key combinations
Database type Cloud provider Region

Astra DB Serverless

AWS

us-east-2

Astra DB Serverless

AWS

ap-south-1

Astra DB Serverless

Google Cloud

us-east1

Astra Managed Clusters

AWS

us-east-2

Astra Managed Clusters

AWS

ap-south-1

Astra Managed Clusters

Google Cloud

us-east1

Configure customer key encryption

After you determine how many keys you need, you must create and register those keys in your Astra organization before you deploy the databases that will use those keys for encryption.

The process to create and register a key depends on the database type and cloud provider. Although some steps are the same, there are specific differences that are crucial for correct and successful customer key configuration. For example, the DevOps API has different customer key endpoints for each database type and each cloud provider.

Database type Cloud provider Documentation

Astra DB Serverless

AWS

Encrypt Astra DB Serverless databases with AWS Key Management Service customer managed keys

Astra DB Serverless

Google Cloud

Encrypt Astra DB Serverless databases with Google Cloud Key Management Service customer-managed encryption keys

Astra DB Serverless

Microsoft Azure

Encrypt Astra DB Serverless databases with Microsoft Azure Key Vault encryption keys

Astra Managed Clusters

AWS

Encrypt Astra Managed Clusters databases with AWS Key Management Service customer managed keys

Astra Managed Clusters

Google Cloud

Encrypt Astra Managed Clusters databases with Google Cloud Key Management Service customer-managed encryption keys

Astra Managed Clusters

Microsoft Azure

Astra Managed Clusters databases don’t support customer key encryption in Microsoft Azure regions. These databases are encrypted with Astra-provided encryption keys.

See also

Was this helpful?

Give Feedback

How can we improve the documentation?

© Copyright IBM Corporation 2026 | Privacy policy | Terms of use Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: Contact IBM