Documentation for `scw keymanager`
The CLI documentation pages are currently under construction
The content is up to date. We're making improvements to the site over the next few weeks for a better experience.
This API allows you to conveniently store and use cryptographic keys.
Key management commands
Keys are logical containers which store cryptographic keys.
Create a key
Create a key in a given region specified by the region parameter. You can use keys to encrypt or decrypt arbitrary payloads, to sign and verify messages or to generate data encryption keys. Data encryption keys are not stored in Key Manager.
Usage:
Code
Args:
| Name | Description | |
|---|---|---|
| project-id | Project ID to use. If none is passed the default project ID will be used | |
| name | (Optional) Name of the key | |
| usage.symmetric-encryption | One of: unknown_symmetric_encryption, aes_256_gcm | Encrypt and decrypt arbitrary payloads using a symmetric encryption algorithm. |
| usage.asymmetric-encryption | One of: unknown_asymmetric_encryption, rsa_oaep_2048_sha256, rsa_oaep_3072_sha256, rsa_oaep_4096_sha256 | Encrypt and decrypt arbitrary payloads using an asymmetric encryption algorithm. |
| usage.asymmetric-signing | One of: unknown_asymmetric_signing, ec_p256_sha256, ec_p384_sha384, rsa_pss_2048_sha256, rsa_pss_3072_sha256, rsa_pss_4096_sha256, rsa_pkcs1_2048_sha256, rsa_pkcs1_3072_sha256, rsa_pkcs1_4096_sha256, ml_dsa_44, ml_dsa_65, ml_dsa_87 | Sign and verify arbitrary messages using an asymmetric signing algorithm. |
| description | (Optional) Description of the key | |
| tags.{index} | (Optional) List of the key's tags | |
| rotation-policy.rotation-period | Rotation period | |
| rotation-policy.next-rotation-at | Key next rotation date | |
| unprotected | (Optional) Defines whether key protection is applied to a key. Protected keys can be used but not deleted | |
| origin | One of: unknown_origin, scaleway_kms, external | Key origin |
| protection-level | One of: unknown_protection_level, software, hsm | Key Protection level |
| region | Default: fr-parOne of: fr-par, nl-ams, pl-waw | Region to target. If none is passed will use default region from the config |
Decrypt an encrypted payload
Decrypt an encrypted payload using an existing key, specified by the key_id parameter. The maximum payload size that can be decrypted is equivalent to the encrypted output of 64 KB of data (around 131 KB).
Usage:
Code
Args:
| Name | Description | |
|---|---|---|
| key-id | Required | ID of the key to decrypt with |
| ciphertext | Required | Base64 Ciphertext data to decrypt |
| associated-data | (Optional) Additional authenticated data | |
| region | Default: fr-parOne of: fr-par, nl-ams, pl-waw | Region to target. If none is passed will use default region from the config |
Delete a key
Permanently delete a key specified by the region and key_id parameters. This action is irreversible. Any data encrypted with this key, including data encryption keys, will no longer be decipherable.
Usage:
Code
Args:
| Name | Description | |
|---|---|---|
| key-id | Required | ID of the key to delete |
| region | Default: fr-parOne of: fr-par, nl-ams, pl-waw | Region to target. If none is passed will use default region from the config |
Delete key material
Delete previously imported key material. This renders the associated cryptographic key unusable for any operation. The key's origin must be external.
Usage:
Code
Args:
| Name | Description | |
|---|---|---|
| key-id | Required | ID of the key of which to delete the key material |
| region | Default: fr-parOne of: fr-par, nl-ams, pl-waw | Region to target. If none is passed will use default region from the config |
Disable key
Disable a given key, preventing it to be used for cryptographic operations. Disabling a key renders it unusable. You must specify the region and key_id parameters.
Usage:
Code
Args:
| Name | Description | |
|---|---|---|
| key-id | Required | ID of the key to disable |
| region | Default: fr-parOne of: fr-par, nl-ams, pl-waw | Region to target. If none is passed will use default region from the config |
Enable key
Enable a given key to be used for cryptographic operations. Enabling a key allows you to make a disabled key usable again. You must specify the region and key_id parameters.
Usage:
Code
Args:
| Name | Description | |
|---|---|---|
| key-id | Required | ID of the key to enable |
| region | Default: fr-parOne of: fr-par, nl-ams, pl-waw | Region to target. If none is passed will use default region from the config |
Encrypt a payload
Encrypt a payload using an existing key, specified by the key_id parameter. The maximum payload size that can be encrypted is 64 KB of plaintext.
Usage:
Code
Args:
| Name | Description | |
|---|---|---|
| key-id | Required | ID of the key to use for encryption |
| plaintext | Required | Base64 Plaintext data to encrypt |
| associated-data | (Optional) Additional authenticated data | |
| region | Default: fr-parOne of: fr-par, nl-ams, pl-waw | Region to target. If none is passed will use default region from the config |
Create a data encryption key
Create a new data encryption key for cryptographic operations outside of Key Manager. The data encryption key is encrypted and must be decrypted using the key you have created in Key Manager.
The data encryption key is returned in plaintext and ciphertext but it should only be stored in its encrypted form (ciphertext). Key Manager does not store your data encryption key. To retrieve your key's plaintext, use the Decrypt method with your key's ID and ciphertext.
Usage:
Code
Args:
| Name | Description | |
|---|---|---|
| key-id | Required | ID of the key |
| algorithm | Default: aes_256_gcmOne of: unknown_symmetric_encryption, aes_256_gcm | Algorithm with which the data encryption key will be used to encrypt and decrypt arbitrary payloads |
| without-plaintext | (Optional) Defines whether to return the data encryption key's plaintext in the response object | |
| region | Default: fr-parOne of: fr-par, nl-ams, pl-waw | Region to target. If none is passed will use default region from the config |
Get key metadata
Retrieve metadata for a specified key using the region and key_id parameters.
Usage:
Code
Args:
| Name | Description | |
|---|---|---|
| key-id | Required | ID of the key to target |
| region | Default: fr-parOne of: fr-par, nl-ams, pl-waw | Region to target. If none is passed will use default region from the config |
Import key material
Import externally generated key material into Key Manager to derive a new cryptographic key. The key's origin must be external.
Usage:
Code
Args:
| Name | Description | |
|---|---|---|
| key-id | Required | ID of the key in which to import key material |
| key-material | The key material The key material is a random sequence of bytes used to derive a cryptographic key. | |
| salt | (Optional) Salt value to pass the key derivation function | |
| region | Default: fr-parOne of: fr-par, nl-ams, pl-waw | Region to target. If none is passed will use default region from the config |
List keys
Retrieve a list of keys across all Projects in an Organization or within a specific Project. You must specify the region, and either the organization_id or the project_id.
Usage:
Code
Args:
| Name | Description | |
|---|---|---|
| project-id | (Optional) Filter by Project ID | |
| order-by | One of: name_asc, name_desc, created_at_asc, created_at_desc, updated_at_asc, updated_at_desc | |
| tags.{index} | (Optional) List of tags to filter on | |
| name | (Optional) Filter by key name | |
| usage | One of: unknown_usage, symmetric_encryption, asymmetric_encryption, asymmetric_signing | (Optional) Filter keys by usage. |
| scheduled-for-deletion | Filter keys based on their deletion status. By default, only keys not scheduled for deletion are returned in the output. | |
| protection-level | One of: unknown_protection_level, software, hsm | (Optional) Filter keys by protection level. |
| organization-id | (Optional) Filter by Organization ID | |
| region | Default: fr-parOne of: fr-par, nl-ams, pl-waw, all | Region to target. If none is passed will use default region from the config |
Apply key protection
Apply protection to a given key specified by the key_id parameter. Applying key protection means that your key can be used and modified, but it cannot be deleted.
Usage:
Code
Args:
| Name | Description | |
|---|---|---|
| key-id | Required | ID of the key to apply key protection to |
| region | Default: fr-parOne of: fr-par, nl-ams, pl-waw | Region to target. If none is passed will use default region from the config |
Rotate a key
Generate a new version of an existing key with new key material. Previous key versions remain usable to decrypt previously encrypted data, but the key's new version will be used for subsequent encryption operations and data key generation.
Usage:
Code
Args:
| Name | Description | |
|---|---|---|
| key-id | Required | ID of the key to rotate |
| region | Default: fr-parOne of: fr-par, nl-ams, pl-waw | Region to target. If none is passed will use default region from the config |
Remove key protection
Remove key protection from a given key specified by the key_id parameter. Removing key protection means that your key can be deleted anytime.
Usage:
Code
Args:
| Name | Description | |
|---|---|---|
| key-id | Required | ID of the key to remove key protection from |
| region | Default: fr-parOne of: fr-par, nl-ams, pl-waw | Region to target. If none is passed will use default region from the config |
Update a key
Modify a key's metadata including name, description and tags, specified by the key_id and region parameters.
Usage:
Code
Args:
| Name | Description | |
|---|---|---|
| key-id | Required | ID of the key to update |
| name | (Optional) Updated name of the key | |
| description | (Optional) Updated description of the key | |
| tags.{index} | (Optional) Updated list of the key's tags | |
| rotation-policy.rotation-period | Rotation period | |
| rotation-policy.next-rotation-at | Key next rotation date | |
| region | Default: fr-parOne of: fr-par, nl-ams, pl-waw | Region to target. If none is passed will use default region from the config |