Create and manage a Key Manager data encryption key

Reviewed on August 28, 2025

Scaleway's key Manager allows you to create data encryption keys (DEK) to encrypt and decrypt your payload.

You can then use your Key Manager key to encrypt your DEK.

Before you start

To complete the actions presented below, you must have:

• A Scaleway account logged into the console
• Owner status or IAM permissions allowing you to perform actions in the intended Organization
• Created a Key Manager key

How to create and manage a data encryption key (DEK)

1. Click Key Manager in the Security & Identity section of the Scaleway console side menu. Your keys display.
2. Click the key for which to create a data encryption key.
3. Scroll down to the Create data encryption key section.
4. Click Create data encryption key. A pop-up displays with the ciphertext of your DEK.
5. Copy and store your DEK's ciphertext safely.
   Important

   • We recommend that you always store the ciphertext of your data encryption key rather than its plaintext.
   • While Scaleway Key Manager is responsible for generating, encrypting, and decrypting data encryption keys, it does not store, manage, or monitor them, nor does it engage in cryptographic operations with these keys. You must use and manage data encryption keys outside of Key Manager.
   • Read our documentation to understand Key Manager.
6. Optionally, click Display plaintext to make sure that the plaintext does not contain any mistakes.

   What is the difference between ciphertext and plaintext?

   Ciphertext refers to data that has been encrypted using a cryptographic algorithm and a key.

   Plaintext refers to unencrypted, readable data.

7. Click Close.