Datacenters running on Amazon's EBS infrastructure can be encrypted with an AWS KMS key. See Setting Up a Datacenter with EBS Encryption for more information on sharing a KMS key with Instaclustr.
List available keys
To get a list of encryption keys previously added to this account make a GET request to https://api.instaclustr.com/provisioning/v1/encryption-keys
The response will contain an array of key IDs that may be used to provision encrypted clusters:
[ { "id":"ff4fccf3-2ac0-494b-9f40-e95288dd752d", "arn":"arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789abc", "alias":"virginia 1" } ]
Add a KMS key
To add an encryption key make a POST request to https://api.instaclustr.com/provisioning/v1/encryption-keys with the JSON body:
{ "alias":"virginia key", "arn":"arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789abd" }
If validation succeeds, we will respond with 202 Accepted and a JSON containing the key id that may be used to provision encrypted clusters.
Remove a KMS key
Make a DELETE request to https://api.instaclustr.com/provisioning/v1/encryption-keys/<key-id>
If successful, the API will respond with 202 Accepted.
If the key is in use by a running cluster, the API will respond with 400 Bad Request and a JSON with message "Encryption key in use. Data centres using this key need to be deleted first."