NavigationContentFooter
Jump toSuggest an edit
Was this page helpful?

Creating a data encryption key using the Scaleway API and the Scaleway CLI

Reviewed on 06 February 2025Published on 06 February 2025

Before you startLink to this anchor

To complete the actions presented below, you must have:

  • A Scaleway account logged into the console
  • Owner status or IAM permissions allowing you to perform actions in the intended Organization
  • Created a key encryption key either from the Scaleway console or the Key Manager API
  • Retrieved your key encryption key’s ID
  • Created an API key
  • Downloaded and configured the Scaleway CLI

Generate a DEK using the Scaleway CLILink to this anchor

  1. Open a terminal and paste the following commands to export your environment variables. Make sure that you replace the placeholder values with your own.

    export SCW_ACCESS_KEY=<SCALEWAY_API_ACCESS_KEY>
    export SCW_SECRET_KEY=<SCALEWAY_API_SECRET_KEY>
    export SCW_DEFAULT_ORGANIZATION_ID=<SCALEWAY_ORGANIZATION_ID>
    export SCW_PROJECT_ID=<SCALEWAY_PROJECT_ID>
    export SCW_DEFAULT_REGION="fr-par"
    export SCW_API_URL="https://api.scaleway.com"

  2. Paste the following command to generate a data encryption key via the Scaleway CLI. Make sure that you replace <your_kek_id> with the ID of your key encryption key.

    scw keymanager key generate-data-key key-id=<your_kek_id> algorithm=aes_256_gcm

An output similar to the following should display:

KeyID       <kek_id>
Algorithm   <algorithm_used_to_encrypt_your_key>
Ciphertext  <your_base64_encrypted_dek>
Plaintext   <your_base64_decrypted_dek>
CreatedAt   <creation_date>
Important

For convenience, Key Manager returns the plaintext version of the DEK, but it should never be stored in this form. Storing the decrypted plaintext of your DEK undermines the security provided by Key Manager, rendering it ineffective.

Generate a DEK using the APILink to this anchor

Paste the following command to create your data encryption key via the Key Manager API. Make sure that you replace the placeholder values with your own.

curl --location 'https://api.scaleway.com/key-manager/v1alpha1/regions/fr-par/keys/<your_key_id>/generate-data-key' \
--header 'Content-Type: application/json' \
--header 'X-Auth-Token: <your_secret_key>' \
--data '{
    "algorithm": "aes_256_gcm"
}'

Key Manager also supports the GenerateDataKey request without a plaintext operation, which only returns an encrypted data encryption key.

If you need to use your DEK, you can decrypt it using the Decrypt data operation specifying the kek_id parameter used to encrypt it.

Key Manager does not handle direct data encryption. It is specifically designed to encrypt and decrypt Data Encryption Keys (DEKs) and is limited to processing inputs up to 64 kB in size.

However, you can use the DEK independently from Key Manager, for example with the Tink extension or with OpenSSL.

Important

The way the KEK is generated, its length, and the encryption algorithm used, cannot be changed or customized after creation. However, unlike the KEK, you have the flexibility to choose any encryption algorithm (cipher) you prefer for encrypting and decrypting your data with the DEK. You are not restricted to a specific encryption method for the data itself. We highly recommend that you use standard and well-established ciphers (and the proper mode), as well as a library like Tink, that chooses the right cryptosystem according to your use case.

Was this page helpful?
API DocsScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCareers
© 2023-2025 – Scaleway