Setting up Encryption at Rest for your Managed Databases with the Scaleway API
Encryption at rest lets you permanently encrypt your database data at the volume level using LUKS. All Database Instances at Scaleway use aes-xts-plain64 with sha256 and a 512-bit key size (256 bits × 2 keys for XTS mode). Scaleway manages the encryption key on your behalf.
The feature can be activated upon Database Instance creation via the console and the API, or after creation exclusively through the API with the upgrade endpoint.
Creating a Database Instance with encryption at rest
-
Edit the POST request payload you will use to create your Database Instance. Make sure you include the
encryptionparameter and set theenabledattribute totrue.'{ "project_id": "d8e65f2b-cce9-40b7-80fc-6a2902db6826", "name": "myDB", "engine": "PostgreSQL-15", "tags": ["foo", "bar"], "is_ha_cluster": true, "node_type": "db-pro2-xxs", "disable_backup": false, "user_name": "my_initial_user", "password": "thiZ_is_v0ry_s3cret", "volume_type": "sbs_5k", "volume_size": "30000000000", "encryption": { "enabled": true } }' -
Create a Database Instance by running the following command. Make sure you include the payload you edited in the previous step.
curl -X POST \ -H "X-Auth-Token: $SCW_SECRET_KEY" \ "Content-Type: application/json" \ https://api.scaleway.com/rdb/v1/regions/$SCW_REGION/instances \ -d '{ "project_id": "d8e65f2b-cce9-40b7-80fc-6a2902db6826", "name": "myDB", "engine": "PostgreSQL-15", "tags": ["foo", "bar"], "is_ha_cluster": true, "node_type": "db-pro2-xxs", "disable_backup": false, "user_name": "my_initial_user", "password": "thiZ_is_v0ry_s3cret", "volume_type": "sbs_5k", "volume_size": "30000000000", "encryption": { "enabled": true } }'You should get a response like the following confirming that the Database Instance was created, and encryption at rest is enabled.
{ "id": "f5122f66-fb50-4cef-aa02-487ef4fc1af0", "name": "myDB", "organization_id": "895693aa-3915-4896-8761-c2923b008be7", "project_id": "d8e65f2b-cce9-40b7-80fc-6a2902db6826", "status": "ready", "engine": "PostgreSQL-15", "endpoint": { "ip": "198.51.100.0", "port": 22245, "name": null }, "tags": [ "foo", "bar" ], "settings": [], "backup_schedule": { "frequency": 24, "retention": 7, "disabled": true }, "is_ha_cluster": true, "read_replicas": [], "node_type": "db-pro2-xxs", "volume": { "type": "sbs_5k", "size": 30000000000 }, "encryption": { "enabled": true }, "created_at": "2019-04-19T16:24:52.591417Z", "region": "fr-par" }
Enabling encryption at rest in an existing Database Instance
To enable encryption at rest after a Database Instance has already been created, you can use the upgrade endpoint of the Managed Databases API.
Run the following command. Make sure you replace the instance_id in the endpoint, and the enable_encryption parameter set to true
curl -X POST \
-H "X-Auth-Token: $SCW_SECRET_KEY" \
-H "Content-Type: application/json" \
-d '{
"enable_encryption": true
}' \
"https://api.scaleway.com/rdb/v1/regions/fr-par/instances/{instance_id}/upgrade"If the operation is successful, you see an output containing all the details of your Database Instance, including "encryption":{"enabled":true}.