NavigationContentFooter
Jump toSuggest an edit

Setting up Encryption at Rest for your Managed Databases with the Scaleway API

Reviewed on 19 December 2024Published on 19 December 2024

Encryption at rest allows you to permanently encrypt your database data. The data is encrypted at volume level using LUKS. The management of the encryption key is done by Scaleway.

The feature can be activated upon Database Instance creation via the console and the API, or after creation exclusively through the API with the upgrade endpoint.

Important
  • Once activated on a Database Instance, encryption at rest cannot be disabled.
  • All databases, data (including logs), and snapshots will be encrypted. Logical backup encryption is not currently available.
  • Enabling encryption means your database data will be copied into a new, encrypted block volume. This takes approximately 1 hour per 100 GB of storage. When switching volumes, expect a few seconds of downtime towards the end of the copying process. Refer to the Encryption at rest performance benchmark on Database Instances page.

Creating a Database Instance with encryption at rest

  1. Edit the POST request payload you will use to create your Database Instance. Make sure you include the encryption parameter and set the enabled attribute to true.

    Note

    In all examples below the UUIDs, passwords and IP addresses displayed are not real. For more details about the parameters shown, refer to the Managed Databases for PostgreSQL and MySQL API documentation

    '{
    "project_id": "d8e65f2b-cce9-40b7-80fc-6a2902db6826",
    "name": "myDB",
    "engine": "PostgreSQL-15",
    "tags": ["foo", "bar"],
    "is_ha_cluster": true,
    "node_type": "db-pro2-xxs",
    "disable_backup": false,
    "user_name": "my_initial_user",
    "password": "thiZ_is_v0ry_s3cret",
    "volume_type": "sbs_5k",
    "volume_size": "30000000000",
    "encryption": {
    "enabled": true
    }
    }'
  2. Create a Database Instance by running the following command. Make sure you include the payload you edited in the previous step.

    curl -X POST \
    -H "X-Auth-Token: $SCW_SECRET_KEY" \
    "Content-Type: application/json" \
    https://api.scaleway.com/rdb/v1/regions/$SCW_REGION/instances \
    -d '{
    "project_id": "d8e65f2b-cce9-40b7-80fc-6a2902db6826",
    "name": "myDB",
    "engine": "PostgreSQL-15",
    "tags": ["foo", "bar"],
    "is_ha_cluster": true,
    "node_type": "db-pro2-xxs",
    "disable_backup": false,
    "user_name": "my_initial_user",
    "password": "thiZ_is_v0ry_s3cret",
    "volume_type": "sbs_5k",
    "volume_size": "30000000000",
    "encryption": {
    "enabled": true
    }
    }'

    You should get a response like the following confirming that the Database Instance was created, and encryption at rest is enabled.

    {
    "id": "f5122f66-fb50-4cef-aa02-487ef4fc1af0",
    "name": "myDB",
    "organization_id": "895693aa-3915-4896-8761-c2923b008be7",
    "project_id": "d8e65f2b-cce9-40b7-80fc-6a2902db6826",
    "status": "ready",
    "engine": "PostgreSQL-15",
    "endpoint": {
    "ip": "198.51.100.0",
    "port": 22245,
    "name": null
    },
    "tags": [
    "foo",
    "bar"
    ],
    "settings": [],
    "backup_schedule": {
    "frequency": 24,
    "retention": 7,
    "disabled": true
    },
    "is_ha_cluster": true,
    "read_replicas": [],
    "node_type": "db-pro2-xxs",
    "volume": {
    "type": "sbs_5k",
    "size": 30000000000
    },
    "encryption": {
    "enabled": true
    },
    "created_at": "2019-04-19T16:24:52.591417Z",
    "region": "fr-par"
    }

Enabling encryption at rest in an existing Database Instance

To enable encryption at rest after a Database Instance has already been created, you can use the upgrade endpoint of the Managed Databases API.

Run the following command. Make sure you replace the instance_id in the endpoint, and the enable_encryption parameter set to true

curl -X POST \
-H "X-Auth-Token: $SCW_SECRET_KEY" \
-H "Content-Type: application/json" \
-d '{
"enable_encryption": true
}' \
"https://api.scaleway.com/rdb/v1/regions/fr-par/instances/{instance_id}/upgrade"

If the operation is successful, you see an output containing all the details of your Database Instance, including "encryption":{"enabled":true}.

Was this page helpful?
API DocsScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCareers
© 2023-2024 – Scaleway