Manage customer-managed encryption keys in Astra

After you configure customer-managed encryption keys (CMEK) for your Astra DB Serverless databases, you can view registered keys, rotate keys, and delete keys or revert to default encryption.

View customer keys

You can inspect registered customer keys for Astra DB Serverless databases in the Astra Portal or with the DevOps API. The Astra Portal includes a status indicating whether the key is in use by any databases.

View all Astra DB Serverless encryption keys in the Astra Portal

  1. In the Astra Portal header, click Settings.

  2. In the Settings navigation menu, make sure the enterprise/organization filter is set to the organization that you want to manage.

    If the organization belongs to an enterprise, you must filter on the enterprise, and then click the organization name in the Organizations list.

  3. In the Settings navigation menu, click Security.

  4. In the Key Encryption section, review the list of encryption keys for Astra DB Serverless databases that are registered in the selected organization.

    Possible key statuses include:

    • In-Use: One or more databases are encrypted by the customer key.

    • Available: The customer key is available to your organization, but the key is not in use by any databases. To use a customer key for encryption, a database must be deployed to the same cloud provider and region as the customer key. Additionally, the database must have been deployed after you registered the key in your Astra organization.

      Azure Key Vault keys only report Available status (with the tooltip Key is available, but usage tracking is unavailable.) even when being used by a database.

View encryption keys for one database in the Astra Portal

  1. In the Astra Portal, click the name of the database that you want to inspect.

  2. In the Regions section, click More, and then select Details.

    The Region Usage details include the status of customer keys used by this database in each region where the database is deployed.

Get encryption keys for one region with the DevOps API

You can use the DevOps API to get registered encryption keys for a specific region. You must specify the cloud provider (aws, gcp, or azure) and region to retrieve:

curl -sS -L -X GET "https://api.astra.datastax.com/v2/kms/provider/PROVIDER/region/REGION" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

A successful response includes the organization ID, provider, key ID, and region. The keyID is the registered key’s ARN (for AWS), resource name (for GCP), or key identifier (for Azure).

Result
{
  "orgId": "ORGANIZATION_ID",
  "provider": "PROVIDER",
  {
    "keyID": "KEY_UUID",
    "region": "REGION"
  }
}
Get all Astra DB Serverless encryption keys with the DevOps API

You can use the DevOps API to get all registered customer keys for an organization.

Rotate customer keys

Customer key cloud providers provide automatic rotation through key versioning. You can manage this in your cloud provider’s KMS console. For more information, see the documentation for your cloud provider:

If automatic key versioning is not sufficient, you can replace a customer key by contacting IBM Support.

Delete customer keys or use default encryption

If you want to delete an encryption key from your Astra organization, or use default Astra DB encryption instead of customer key encryption, you must contact IBM Support.

Was this helpful?

Give Feedback

How can we improve the documentation?

© Copyright IBM Corporation 2026 | Privacy policy | Terms of use Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: Contact IBM