Key Manager API

v1alpha1

Introduction

Scaleway's Key Manager allows you to create, manage and use cryptographic keys in a centralized and secure service. All your cryptographic operations can be delegated to the Key Manager, which in turn ensures the security and availability of your keys.

Key Manager supports the following cryptographic operations: data encryption, data decryption, and data encryption key generation.

Important

This API concerns Key Manager which is currently in Private beta. You must have been invited to the Private beta in order to use the resource.

Quickstart

Configure your environment variables.

Note

This is an optional step that seeks to simplify your usage of the API.

export SCW_ACCESS_KEY="<API access key>"
export SCW_SECRET_KEY="<API secret key>"
export SCW_PROJECT_ID="<Scaleway Project ID>"

Create a key. Run the following command to create a key that you can use to encrypt and decrypt your data:

curl "https://api.scaleway.com/key-manager/v1alpha1/regions/$REGION/keys" \
  -H "Content-Type: application/json" \
  -H "X-Auth-Token: $SCW_SECRET_KEY" \
  -d '{
    "project_id": "'"$PROJECT_ID"'",
    "name": "my-key",
    "usage": {
        "symmetric_encryption": "aes_256_gcm"
    }
   }'

Rotate your key. Run the following command to generate a new version of your key. This operation renders your previous key version obsolete.

curl "https://api.scaleway.com/key-manager/v1alpha1/regions/$REGION/keys/<KEY_ID>/rotate" \
  -H "X-Auth-Token: $SCW_SECRET_KEY" \
  -d '{
    "key_id": "'"$KEY_ID"'"
  }'

Encrypt data. Run the following command to encrypt data with the key you have created in step 2:

curl "https://api.scaleway.com/key-manager/v1alpha1/regions/$REGION/keys/<KEY_ID>/encrypt" \
  -H "X-Auth-Token: $SCW_SECRET_KEY" \
  -d '{
    "key_id": "'"$KEY_ID"'",
    "plaintext": "'"$(echo -n "plaintext-data" | base64)"'"
  }'

Generate a data encryption key. Run the following command to generate a data encryption key that you can use for cryptographic operations outside of Key Manager:

curl "https://api.scaleway.com/key-manager/v1alpha1/regions/$REGION/keys/<KEY_ID>/generate-data-key" \
  -H "X-Auth-Token: $SCW_SECRET_KEY" \
  -d '{
    "key_id": "'"$KEY_ID"'",
    "algorithm": "aes_256_gcm"
  }'

Requirements

To perform the following steps, you must first ensure that:

You have been invited to the Key Manager Private beta
You have your Organization and your Project ID
You have a Scaleway account
You have created an API key and that the API key has sufficient IAM permissions to perform the actions described on this page
You have installed curl

Technical information

Regions

Scaleway's infrastructure spans different regions and Availability Zones.

Key Manager is available in the Paris, Amsterdam and Warsaw regions, which are represented by the following path parameters:

fr-par
nl-ams
pl-waw.

Keys

Keys are logical containers you create in Key Manager to store cryptographic keys. You can use them to encrypt and decrypt data, or to generate data encryption keys

GET/key-manager/v1alpha1/regions/{region}/keys

POST/key-manager/v1alpha1/regions/{region}/keys

GET/key-manager/v1alpha1/regions/{region}/keys/{key_id}

PATCH/key-manager/v1alpha1/regions/{region}/keys/{key_id}

DELETE/key-manager/v1alpha1/regions/{region}/keys/{key_id}

POST/key-manager/v1alpha1/regions/{region}/keys/{key_id}/decrypt

POST/key-manager/v1alpha1/regions/{region}/keys/{key_id}/delete-key-material

POST/key-manager/v1alpha1/regions/{region}/keys/{key_id}/disable

POST/key-manager/v1alpha1/regions/{region}/keys/{key_id}/enable

POST/key-manager/v1alpha1/regions/{region}/keys/{key_id}/encrypt

POST/key-manager/v1alpha1/regions/{region}/keys/{key_id}/generate-data-key

POST/key-manager/v1alpha1/regions/{region}/keys/{key_id}/import-key-material

POST/key-manager/v1alpha1/regions/{region}/keys/{key_id}/protect

POST/key-manager/v1alpha1/regions/{region}/keys/{key_id}/rotate

POST/key-manager/v1alpha1/regions/{region}/keys/{key_id}/unprotect