This is an optional step that seeks to simplify your usage of the API.
Key Manager API
Introduction
Scaleway's Key Manager allows you to create, manage and use cryptographic keys in a centralized and secure service. All your cryptographic operations can be delegated to the Key Manager, which in turn ensures the security and availability of your keys.
Key Manager supports the following cryptographic operations: data encryption, data decryption, and data encryption key generation.
Concepts
Refer to our dedicated concepts page to find definitions of the different terms referring to Key Manager.
Quickstart
-
Configure your environment variables.
Noteexport SCW_ACCESS_KEY="<API access key>"export SCW_SECRET_KEY="<API secret key>"export SCW_PROJECT_ID="<Scaleway Project ID>" -
Create a key. Run the following command to create a key that you can use to encrypt and decrypt your data:
curl "https://api.scaleway.com/key-manager/v1alpha1/regions/$REGION/keys" \-H "Content-Type: application/json" \-H "X-Auth-Token: $SCW_SECRET_KEY" \-d '{"project_id": "$PROJECT_ID","name": "my-key","usage": {"symmetric_encryption": "aes_256_gcm"}}' -
Rotate your key. Run the following command to generate a new version of your key. This operation renders your previous key version obsolete.
curl "https://api.scaleway.com/key-manager/v1alpha1/regions/$REGION/keys/<KEY_ID>/rotate" \-H "X-Auth-Token: $SCW_SECRET_KEY" \-d '{"key_id": "$KEY_ID"}' -
Encrypt data. Run the following command to encrypt data with the key you have created in step 2:
curl "https://api.scaleway.com/key-manager/v1alpha1/regions/$REGION/keys/<KEY_ID>/encrypt" \-H "X-Auth-Token: $SCW_SECRET_KEY" \-d '{"key_id": "$KEY_ID","plaintext": "'"$(echo -n "plaintext-data" | base64)"'"}' -
Generate a data encryption key. Run the following command to generate a data encryption key that you can use for cryptographic operations outside of Key Manager:
curl "https://api.scaleway.com/key-manager/v1alpha1/regions/$REGION/keys/<KEY_ID>/generate-data-key" \-H "X-Auth-Token: $SCW_SECRET_KEY" \-d '{"key_id": "$KEY_ID","algorithm": "aes_256_gcm"}'
To perform the following steps, you must first ensure that:
- You have your Organization and your Project ID
- You have a Scaleway account
- You have created an API key and that the API key has sufficient IAM permissions to perform the actions described on this page
- You have installed
curl
Technical information
Regions
Scaleway's infrastructure spans different regions and Availability Zones.
Key Manager is available in the Paris, Amsterdam and Warsaw regions, which are represented by the following path parameters:
- fr-par
- nl-ams
- pl-waw
Technical limitations
- The maximum payload size that can be encrypted is 64KB of plaintext
- The maximum payload size that can be decrypted is around 131KB of data
- The only key algorithm currently supported by Key Manager is
AES-256-GCM
. - While Scaleway Key Manager is responsible for generating, encrypting, and decrypting data encryption keys, it does not store, manage, or monitor them, nor does it engage in cryptographic operations with these keys. You must use and manage data encryption keys outside of Key Manager. Read our documentation to find out about security measures to be aware of while using Key Manager.
Going further
For more information about Key Manager, you can check out the following pages:
Keys
Keys are logical containers you create in Key Manager to store cryptographic keys. They support encryption, decryption, and the generation of data encryption keys.
GET
/key-manager/v1alpha1/regions/{region}/keys
POST
/key-manager/v1alpha1/regions/{region}/keys
GET
/key-manager/v1alpha1/regions/{region}/keys/{key_id}
PATCH
/key-manager/v1alpha1/regions/{region}/keys/{key_id}
DELETE
/key-manager/v1alpha1/regions/{region}/keys/{key_id}
POST
/key-manager/v1alpha1/regions/{region}/keys/{key_id}/decrypt
POST
/key-manager/v1alpha1/regions/{region}/keys/{key_id}/delete-key-material
POST
/key-manager/v1alpha1/regions/{region}/keys/{key_id}/disable
POST
/key-manager/v1alpha1/regions/{region}/keys/{key_id}/enable
POST
/key-manager/v1alpha1/regions/{region}/keys/{key_id}/encrypt
POST
/key-manager/v1alpha1/regions/{region}/keys/{key_id}/generate-data-key
POST
/key-manager/v1alpha1/regions/{region}/keys/{key_id}/import-key-material
POST
/key-manager/v1alpha1/regions/{region}/keys/{key_id}/protect
POST
/key-manager/v1alpha1/regions/{region}/keys/{key_id}/rotate
POST
/key-manager/v1alpha1/regions/{region}/keys/{key_id}/unprotect