Customer keys overview

Encryption is a widely accepted mechanism to secure data against breaches. By default, Astra DB encrypts data, and cloud providers, such as AWS and Google Cloud, offer encryption solutions. Because cloud providers have access to the keys and ultimately to the data, you can further limit data access with customer keys.

Customer keys are also commonly referred to as "bring-your-own-keys," "custom encryption keys," or "customer-managed keys."

Customer keys apply to only databases created after the customer key is configured. Customer keys cannot be applied to existing databases. Existing databases continue to use vendor-provided keys.

Astra DB allows you to associate your defined key from the cloud provider’s key management service (KMS) with a customer key in Astra DB. Data encryption is defined as a process that transforms data into an encoded format. Once encoded, the data is incomprehensible without being decrypted. Data encryption is essential for organizations in all industries because it protects data from unauthorized access. When thinking of data encryption, there are two main scenarios:

Data at rest

Encrypting data while it is stored in the file storage in use.

Data in transit

Encrypting data while it travels through private or public networks.

Customer keys allows you to manage encryption data at rest.

Customer keys are supported for multi-region databases. Each region is encrypted using its own key. To use keys for a multi-region database, you must create a customer key in each provider-region combination in the KMS and Astra DB.


Customer keys allow you to take full control of the encryption keys when storing data in the cloud. A KMS provides protection against data breaches by alerting you when tampering occurs. In a KMS, you can configure specific policies to adhere to compliance guidelines, such as auditing, key rotation, and access.

Setting up a customer key for your Astra DB database enables the separation of the encrypted lock and the key that encrypts and decrypts the data. This separation of lock and key is a best practice to secure data using encryption.

After setting up a customer managed key in your cloud provider account’s KMS, use Astra Portal or the DevOps API to associate an existing AWS CMK with a customer key in Astra DB.


This feature is available for paid DB Serverless users with AWS and Google Cloud regions, supported using Astra Portal and DevOps API. To upgrade to a Pay as You Go plan from a Free plan, click Billing in the Astra Portal and then Add Payment Method. Add your payment and billing information. Click Upgrade to upgrade to the Pay as You Go plan.


Customer Managed Keys (CMK) in AWS might incur a monthly fee and a fee for use in excess of the AWS free tier. The fees are counted against the AWS KMS quotas for your AWS account. For details, see AWS Key Management Service Pricing and Quotas in the AWS documentation.

Google Cloud

Customer Managed Encryption Keys (CMEK) in Google Cloud might incur a monthly fee and a fee for use in excess of the Google Cloud free tier. The fees are counted against the Google Cloud KMS quotas for your project. For details, see Customer Managed Encryption Key in the Google Cloud documentation.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000,