Encryption Keys

Datacenters running on Amazon's EBS infrastructure can be encrypted with an AWS KMS key. See Setting Up a Datacenter with EBS Encryption for more information on sharing a KMS key with Instaclustr.

List available keys

To get a list of encryption keys previously added to this account make a GET request to https://api.instaclustr.com/provisioning/v1/encryption-keys

The response will contain an array of key IDs that may be used to provision encrypted clusters:

[ 
   { 
      "id":"ff4fccf3-2ac0-494b-9f40-e95288dd752d",
      "arn":"arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789abc",
      "alias":"virginia 1"
   }
]

Add a KMS key

To add an encryption key make a POST request to https://api.instaclustr.com/provisioning/v1/encryption-keys with the JSON body:

{
    "alias":"virginia key",
    "arn":"arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789abd"
}

If validation succeeds, we will respond with 202 Accepted and a JSON containing the key id that may be used to provision encrypted clusters.

Remove a KMS key

Make a DELETE request to https://api.instaclustr.com/provisioning/v1/encryption-keys/<key-id>

If successful, the API will respond with 202 Accepted.

If the key is in use by a running cluster, the API will respond with 400 Bad Request and a JSON with message "Encryption key in use. Data centres using this key need to be deleted first."

Last updated:
If you have questions regarding this article, feel free to add it to the comments below.

0 Comments

Please sign in to leave a comment.